Clients get DNS timeouts because ipv6 means more queries for each lookup
Jonathan Kamens
jik at kamens.us
Mon Jul 11 19:21:58 UTC 2011
On 7/11/2011 3:10 PM, Tony Finch wrote:
> Jonathan Kamens<jik at kamens.us> wrote:
>> I said above that the problem is exacerbated by the fact that many DNS servers
>> don't yet support IPV6 queries. This is because the AAAA queries don't get
>> NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
>> are not cached. As a result, the scenario describes above happens much more
>> frequently because the DNS server has to redo the AAAA queries often.
> Your upstream resolver is broken if it returns FORMERR responses to AAAA
> queries. The behaviour you describe is not normal.
There are people reporting all over the net that they're getting tons of
messages like this in their logs with recent BIND versions:
Jul 11 12:00:06 jik2 named[31354]: error (FORMERR) resolving
'en.wikipedia.org/AAAA/IN': 208.80.152.130#53
I've got 397 of them in my logs for just the last 24 hours.
I'm aware that this means the upstream DNS server is broken; isn't what
what I said, i.e., that it isn't responding properly to AAAA queries?
The problem is that I have no control over the upstream resolver. All I
have control over is my own name server.
I am not the only one who is going to encounter this problem. I've found
several reports of it on the net with a minimal amount of searching. I
think something more general has to be done than giving me advice about
what to change in my named.conf. I appreciate the advice for how to fix
the problem for myself, but I think it needs to be fixed for everyone.
>
> Have a look at bind's filter-aaaa-on-v4 and deny-answer-addresses options
> which should allow you prevent applications from trying to use IPv6.
Neither of these options are documented in named.conf(5) or
resolv.conf(5). Is this a problem that is specific to the Fedora 15
versions of these man pages, or is the documentation distributed with
BIND out-of-date?
I tried to use the option and I get "is not configured" in my log when
named starts up and then "parsing failed," so I think my BIND must not
be compiled with --enable-filter-aaaa, right? That makes it difficult to
use this solution. Perhaps that's also why it isn't listed in the man page?
jik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110711/449d7ac3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3920 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110711/449d7ac3/attachment.bin>
More information about the bind-users
mailing list