IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
Hello; I have two DMZ BIND/DNS servers running whose purpose is to allow lookups via them from my otherwise incapable internal network. I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. Both servers are running Sparc/Solaris 9. Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed lookups for .gov sites, I found that the server was now attempting to resolve using IPv6 style addresses. I am not able to find any such attempts in the past at all from either server (See messages from BIND 9.5.1-P1 server below). I've installed a newer db.root file by running dig then saving the output to db.root. The newer file contained IPv6 style entries, which I've manually removed (about the same time attempts ceased) I've also tried to force any attempts at using IPv6 and what appear to be issues resolving .gov domains in my named.conf like this: options { edns-udp-size 512; max-udp-size 512; listen-on-v6 { none; }; }; logging { category lame-servers {null;}; category edns-disabled {null;}; }; The issues that I was seeing with .gov sites resulted in this type of error in my logfile: Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS Any help would be greatly appreciated, am I missing something obvious, or perhaps I need to add something else into my configs? Thank you, .vp Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
wiskbr...@hotmail.com wrote: Hello; I have two DMZ BIND/DNS servers running whose purpose is to allow lookups via them from my otherwise incapable internal network. I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. Both servers are running Sparc/Solaris 9. Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed lookups for .gov sites, I found that the server was now attempting to resolve using IPv6 style addresses. I am not able to find any such attempts in the past at all from either server (See messages from BIND 9.5.1-P1 server below). I've installed a newer db.root file by running dig then saving the output to db.root. The newer file contained IPv6 style entries, which I've manually removed (about the same time attempts ceased) This isn't going to make a difference. Even if the root server addresses were not already in the named binary, the first thing a resolving name server does when it starts up is to get an updated copy of the information from the root servers themselves. I've also tried to force any attempts at using IPv6 and what appear to be issues resolving .gov domains in my named.conf like this: options { edns-udp-size 512; max-udp-size 512; Those two options are not good. EDNS exists for a reason. listen-on-v6 { none; }; }; That's not going to do what you want. You want to start named with the -4 option. (Although a better option would be to get working IPv6.) :) logging { category lame-servers {null;}; category edns-disabled {null;}; }; The issues that I was seeing with .gov sites resulted in this type of error in my logfile: Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS This problem isn't caused by IPv6, fdic.gov has no name servers with IPv6 addresses. This looks more like a firewall problem on your end. Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 This is odd. The IP address listed is for f-root. That adns1 name server does have an IPv6 address, but for some reason that address is not listed in the root zone file (currently). Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Same here. Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
From: wiskbr...@hotmail.com To: do...@dougbarton.us Subject: RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses Date: Fri, 23 Jan 2009 15:24:55 -0500 Cc: bind-users@lists.isc.org [...] By the way, what would cause a DNS server to fragment packets or send out of order? Aren't the packets typically small enough to fit within the typical 1500 imposed size? 512 bytes for UDP.. Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 This is odd. The IP address listed is for f-root. That adns1 name server does have an IPv6 address, but for some reason that address is not listed in the root zone file (currently). Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Same here. Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
In message bay133-w4474fd4aa8331c2dc6bee1b4...@phx.gbl, wiskbr...@hotmail.com writes: Hello; I have two DMZ BIND/DNS servers running whose purpose is to allow lookups v ia them from my otherwise incapable internal network. I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1. Both servers are running Sparc/Solaris 9. Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed lookups for .gov sites, I found that the server was now attempting to resolv e using IPv6 style addresses. I am not able to find any such attempts in the past at all from either server (See messages from BIND 9.5.1-P1 server below ). It always was. Named now uses connected UDP sockets so the error codes make it back from the kernel. I've installed a newer db.root file by running dig then saving the output to db.root. The newer file contained IPv6 style entries, which I've manually re moved (about the same time attempts ceased) I've also tried to force any attempts at using IPv6 and what appear to be iss ues resolving .gov domains in my named.conf like this: To disable the use of IPv6 use named -4. I would however recommend that you get yourself IPv6 connectivity instead. options { edns-udp-size 512; max-udp-size 512; Unless you have a firewall or NAT that has trouble with EDNS packets of particular sizes you should not need to set these. If you do need to set these then you really should look at replacing/reconfiguring the offending box. listen-on-v6 { none; }; }; logging { category lame-servers {null;}; category edns-disabled {null;}; }; The issues that I was seeing with .gov sites resulted in this type of error i n my logfile: Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS The problem here is too many timeouts. This may or may not be related to EDNS. Any help would be greatly appreciated, am I missing something obvious, or per haps I need to add something else into my configs? Thank you, .vp Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53 Which are perfectly understandable if you don't have IPv6 connectivity. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users