Clients get DNS timeouts because ipv6 means more queries for each lookup

Jonathan Kamens jik at kamens.us
Wed Jul 13 06:35:32 UTC 2011 

On 07/13/2011 02:13 AM, Mark Andrews wrote:
> No.  The fix is to correct the nameservers.  They are not correctly
> following the DNS protocol and everything else is a fall out from
> that.
You're right that everything else is fallout from that.

But that doesn't do me much good, does it? It's my system that keeps 
getting bogus name resolution errors. It's my RSS feed reader that keeps 
failing on an hourly basis when the cached records for en.wikipedia.org 
expire. It's all very well and good to say that the Wikipedia folks and 
other people with this problem should fix their nameservers -- I totally 
agree with that -- but it doesn't help me solve my problem /now/.

I'm a real user in the real world with a real problem. Yelling at 
Wikipedia to fix their DNS servers may feel good, but it doesn't make my 
DNS work. As far as I and all the other users who are being impacted 
/now/ by this problem are concerned, it's just pissing into the wind.
>> Well, all the prodding from people here prompted me to investigate
>> further exactly what's going on. The problem isn't what I thought it
>> was. It appears to be a bug in glibc, and I've filed a bug report and
>> found a workaround.
> There is no bug in glibc.
To be blunt, that's bullshit.

If glibc makes an A query and an AAAA query, and it gets back a valid 
response to the A query and an invalid response to the AAAA query, then 
it should ignore the invalid response to the AAAA query and return the 
valid A response to the user as the IP address for the host.

Please note, furthermore, that as I explained in detail in my bug report 
and in my last message, glibc behaves differently based on the /order/ 
in which the two responses are returned by the DNS server. Since there's 
nothing that says a DNS server has to respond to two queries in the 
order in which they were received, and that would be an impossible 
requirement to impose in any case, since the queries and responses are 
sent via UDP which doesn' guarantee order, it's perfectly clear that 
glibc needs to be prepared to function the same regardless of the order 
in which it receives the responses.

What's more, there's plenty of code in the glibc files I spent hours 
poring over which is clearly an attempt to do exactly that. The people 
who wrote the code just got it wrong. Which isn't surprising, given how 
god-awful the code is.

This is not an either/or situation. The broken nameservers should be 
fixed, /and/ glibc should be fixed to properly handle the case of when 
it sends two queries and gets back one valid response and one server 
error in reverse order.
>> In a nutshell, the getaddrinfo function in glibc sends both A and AAAA
>> queries to the DNS server at the same time and then deals with the
>> responses as they come in. Unfortunately, if the responses to the two
>> queries come back in reverse order, /and/ the first one to come back is
>> a server failure, both of which are the case when you try to resolve
>> en.wikipedia.org immediately after restarting your DNS server so nothing
>> is cached, the glibc code screws up and decides it didn't get back a
>> successful response even though it did.
> There is *nothing* wrong with sending both queries at once.
I didn't say there was. You really don't seem to be paying very good 
attention.

Do you understand what the word /workaround/ means?
> Note your "fix" won't help clients that only ask for AAAA records
> because it is the authoritative servers that are broken, not the
> resolver library or the recursive server.
I am aware of that. It is irrelevant, because it is not the problem I am 
trying to solve. I, and 99.999999% of the users in the world, are /not/ 
"only ask[ing] for AAAA records." Nobody actually trying to use the 
internet for day-to-day work is doing that right now, because to say 
that IPv6 support is not yet ubiquitous would be a laughably momentous 
understatement.

You seem to have a really big chip on your shoulder about people who run 
broken DNS servers. I don't like them any more than you do. But I 
learned "Be generous in what you accept and conservative in what you 
generate" way back when I started playing with the Internet well over 
two decades ago. It holds up now as well as it did back then, and 
there's no good reason why it shouldn't apply in this case.

It's clear that this is a religious issue for you. I'm not here to 
debate religion, I'm here to get help making my DNS work, and to help 
other people, to whatever extent I can, make /their/ DNS work. If you 
continue to send religious screeds on this topic while making no effort 
to actually read and understand what I write, please do not expect me to 
respond further.

   Jonathan Kamens

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110713/a7d62ca3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3920 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110713/a7d62ca3/attachment.bin>

More information about the bind-users mailing list