IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
Hello;
I have two DMZ BIND/DNS servers running whose purpose is to allow lookups via
them from my otherwise incapable internal network.
I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1.
Both servers are running Sparc/Solaris 9.
Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed
lookups for .gov sites, I found that the server was now attempting to resolve
using IPv6 style addresses. I am not able to find any such attempts in the
past at all from either server (See messages from BIND 9.5.1-P1 server below).
I've installed a newer db.root file by running dig then saving the output to
db.root. The newer file contained IPv6 style entries, which I've manually
removed (about the same time attempts ceased)
I've also tried to force any attempts at using IPv6 and what appear to be
issues resolving .gov domains in my named.conf like this:
options {
edns-udp-size 512;
max-udp-size 512;
listen-on-v6 { none; };
};
logging {
category lame-servers {null;};
category edns-disabled {null;};
};
The issues that I was seeing with .gov sites resulted in this type of error in
my logfile:
Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts
resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS
Any help would be greatly appreciated, am I missing something obvious, or
perhaps I need to add something else into my configs?
Thank you,
.vp
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
wiskbr...@hotmail.com wrote:
Hello;
I have two DMZ BIND/DNS servers running whose purpose is to allow
lookups via them from my otherwise incapable internal network.
I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND
9.5.1-P1. Both servers are running Sparc/Solaris 9.
Upon upgrading one to BIND 9.5.0-P2, which was in an effort to
resolve failed lookups for .gov sites, I found that the server was
now attempting to resolve using IPv6 style addresses. I am not
able to find any such attempts in the past at all from either
server (See messages from BIND 9.5.1-P1 server below).
I've installed a newer db.root file by running dig then saving the
output to db.root. The newer file contained IPv6 style entries,
which I've manually removed (about the same time attempts ceased)
This isn't going to make a difference. Even if the root server
addresses were not already in the named binary, the first thing a
resolving name server does when it starts up is to get an updated copy
of the information from the root servers themselves.
I've also tried to force any attempts at using IPv6 and what appear
to be issues resolving .gov domains in my named.conf like this:
options { edns-udp-size 512; max-udp-size 512;
Those two options are not good. EDNS exists for a reason.
listen-on-v6 {
none; }; };
That's not going to do what you want. You want to start named with the
-4 option. (Although a better option would be to get working IPv6.) :)
logging { category lame-servers {null;}; category edns-disabled
{null;}; };
The issues that I was seeing with .gov sites resulted in this type
of error in my logfile:
Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many
timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling
EDNS
This problem isn't caused by IPv6, fdic.gov has no name servers with
IPv6 addresses. This looks more like a firewall problem on your end.
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
unreachable resolving
'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53
This is odd. The IP address listed is for f-root. That adns1 name
server does have an IPv6 address, but for some reason that address is
not listed in the root zone file (currently).
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
Same here.
Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
From: wiskbr...@hotmail.com To: do...@dougbarton.us Subject: RE: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses Date: Fri, 23 Jan 2009 15:24:55 -0500 Cc: bind-users@lists.isc.org [...] By the way, what would cause a DNS server to fragment packets or send out of order? Aren't the packets typically small enough to fit within the typical 1500 imposed size? 512 bytes for UDP.. Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53 This is odd. The IP address listed is for f-root. That adns1 name server does have an IPv6 address, but for some reason that address is not listed in the root zone file (currently). Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53 Same here. Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Lookups on BIND 9.5.1-P1 and .GOV Addresses
In message bay133-w4474fd4aa8331c2dc6bee1b4...@phx.gbl, wiskbr...@hotmail.com
writes:
Hello;
I have two DMZ BIND/DNS servers running whose purpose is to allow lookups v
ia them from my otherwise incapable internal network.
I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND 9.5.1-P1.
Both servers are running Sparc/Solaris 9.
Upon upgrading one to BIND 9.5.0-P2, which was in an effort to resolve failed
lookups for .gov sites, I found that the server was now attempting to resolv
e using IPv6 style addresses. I am not able to find any such attempts in the
past at all from either server (See messages from BIND 9.5.1-P1 server below
).
It always was. Named now uses connected UDP sockets so the
error codes make it back from the kernel.
I've installed a newer db.root file by running dig then saving the output to
db.root. The newer file contained IPv6 style entries, which I've manually re
moved (about the same time attempts ceased)
I've also tried to force any attempts at using IPv6 and what appear to be iss
ues resolving .gov domains in my named.conf like this:
To disable the use of IPv6 use named -4. I would however
recommend that you get yourself IPv6 connectivity instead.
options {
edns-udp-size 512;
max-udp-size 512;
Unless you have a firewall or NAT that has trouble with
EDNS packets of particular sizes you should not need to set
these. If you do need to set these then you really should
look at replacing/reconfiguring the offending box.
listen-on-v6 { none; };
};
logging {
category lame-servers {null;};
category edns-disabled {null;};
};
The issues that I was seeing with .gov sites resulted in this type of error i
n my logfile:
Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many timeouts re
solving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling EDNS
The problem here is too many timeouts. This may or may
not be related to EDNS.
Any help would be greatly appreciated, am I missing something obvious, or per
haps I need to add something else into my configs?
Thank you,
.vp
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'ADNS1.BERKELEY.EDU//IN':2001:500:2f::f#53
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network unreachable
resolving 'indom80.indomco.hk/A/IN': 2001:dc0:1:0:4777::140#53
Which are perfectly understandable if you don't have IPv6
connectivity.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
