On Wed, Mar 2, 2016 at 7:08 AM, Tony Finch <d...@dotat.at> wrote: > James Ralston <rals...@pobox.com> wrote: > > > We're running a recursive resolver on RHEL6, using the latest > > RHEL-provided BIND package, bind-9.8.2-0.37.rc1.el6_7.6. The > > recursive resolver only has an IPv4 interface; it does not have an > > IPv6 interface. DNSSEC is enabled (by default). > > Dunno why BIND is failing to find the A records, but have you tried > running named -4?
Yes. It doesn't change anything. BIND already knows that there is no usable IPv6 interface on the system. That's why it returns SERVFAIL when it gets into the state where it thinks the nameservers for hhs.gov are only reachable via IPv6. Disabling IPv6—either at the OS level, in BIND, or both—won't prevent BIND from fetching AAAA records when it performs recursive resolution. And when the cache contains only the AAAA records (instead of the A records), BIND can no longer resolve any hhs.gov records. The frustrating thing is that I can see from the ngrep capture that BIND *does* attempt to refresh the cached A records of the nameservers. I don't see anything obviously wrong with that exchange. But BIND seemingly ignores the answers that contain the A records. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users