Clients get DNS timeouts because ipv6 means more queries for each lookup
Jonathan Kamens
jik at kamens.us
Wed Jul 13 06:35:32 UTC 2011
On 07/13/2011 02:13 AM, Mark Andrews wrote:
> No. The fix is to correct the nameservers. They are not correctly
> following the DNS protocol and everything else is a fall out from
> that.
You're right that everything else is fallout from that.
But that doesn't do me much good, does it? It's my system that keeps
getting bogus name resolution errors. It's my RSS feed reader that keeps
failing on an hourly basis when the cached records for en.wikipedia.org
expire. It's all very well and good to say that the Wikipedia folks and
other people with this problem should fix their nameservers -- I totally
agree with that -- but it doesn't help me solve my problem /now/.
I'm a real user in the real world with a real problem. Yelling at
Wikipedia to fix their DNS servers may feel good, but it doesn't make my
DNS work. As far as I and all the other users who are being impacted
/now/ by this problem are concerned, it's just pissing into the wind.
>> Well, all the prodding from people here prompted me to investigate
>> further exactly what's going on. The problem isn't what I thought it
>> was. It appears to be a bug in glibc, and I've filed a bug report and
>> found a workaround.
> There is no bug in glibc.
To be blunt, that's bullshit.
If glibc makes an A query and an AAAA query, and it gets back a valid
response to the A query and an invalid response to the AAAA query, then
it should ignore the invalid response to the AAAA query and return the
valid A response to the user as the IP address for the host.
Please note, furthermore, that as I explained in detail in my bug report
and in my last message, glibc behaves differently based on the /order/
in which the two responses are returned by the DNS server. Since there's
nothing that says a DNS server has to respond to two queries in the
order in which they were received, and that would be an impossible
requirement to impose in any case, since the queries and responses are
sent via UDP which doesn' guarantee order, it's perfectly clear that
glibc needs to be prepared to function the same regardless of the order
in which it receives the responses.
What's more, there's plenty of code in the glibc files I spent hours
poring over which is clearly an attempt to do exactly that. The people
who wrote the code just got it wrong. Which isn't surprising, given how
god-awful the code is.
This is not an either/or situation. The broken nameservers should be
fixed, /and/ glibc should be fixed to properly handle the case of when
it sends two queries and gets back one valid response and one server
error in reverse order.
>> In a nutshell, the getaddrinfo function in glibc sends both A and AAAA
>> queries to the DNS server at the same time and then deals with the
>> responses as they come in. Unfortunately, if the responses to the two
>> queries come back in reverse order, /and/ the first one to come back is
>> a server failure, both of which are the case when you try to resolve
>> en.wikipedia.org immediately after restarting your DNS server so nothing
>> is cached, the glibc code screws up and decides it didn't get back a
>> successful response even though it did.
> There is *nothing* wrong with sending both queries at once.
I didn't say there was. You really don't seem to be paying very good
attention.
Do you understand what the word /workaround/ means?
> Note your "fix" won't help clients that only ask for AAAA records
> because it is the authoritative servers that are broken, not the
> resolver library or the recursive server.
I am aware of that. It is irrelevant, because it is not the problem I am
trying to solve. I, and 99.999999% of the users in the world, are /not/
"only ask[ing] for AAAA records." Nobody actually trying to use the
internet for day-to-day work is doing that right now, because to say
that IPv6 support is not yet ubiquitous would be a laughably momentous
understatement.
You seem to have a really big chip on your shoulder about people who run
broken DNS servers. I don't like them any more than you do. But I
learned "Be generous in what you accept and conservative in what you
generate" way back when I started playing with the Internet well over
two decades ago. It holds up now as well as it did back then, and
there's no good reason why it shouldn't apply in this case.
It's clear that this is a religious issue for you. I'm not here to
debate religion, I'm here to get help making my DNS work, and to help
other people, to whatever extent I can, make /their/ DNS work. If you
continue to send religious screeds on this topic while making no effort
to actually read and understand what I write, please do not expect me to
respond further.
Jonathan Kamens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110713/a7d62ca3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3920 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110713/a7d62ca3/attachment.bin>
More information about the bind-users
mailing list