Clients get DNS timeouts because ipv6 means more queries for each lookup

Jonathan Kamens jik at
Mon Jul 11 19:21:58 UTC 2011

On 7/11/2011 3:10 PM, Tony Finch wrote:
> Jonathan Kamens<jik at>  wrote:
>> I said above that the problem is exacerbated by the fact that many DNS servers
>> don't yet support IPV6 queries. This is because the AAAA queries don't get
>> NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
>> are not cached. As a result, the scenario describes above happens much more
>> frequently because the DNS server has to redo the AAAA queries often.
> Your upstream resolver is broken if it returns FORMERR responses to AAAA
> queries. The behaviour you describe is not normal.
There are people reporting all over the net that they're getting tons of 
messages like this in their logs with recent BIND versions:

Jul 11 12:00:06 jik2 named[31354]: error (FORMERR) resolving 

I've got 397 of them in my logs for just the last 24 hours.

I'm aware that this means the upstream DNS server is broken; isn't what 
what I said, i.e., that it isn't responding properly to AAAA queries?

The problem is that I have no control over the upstream resolver. All I 
have control over is my own name server.

I am not the only one who is going to encounter this problem. I've found 
several reports of it on the net with a minimal amount of searching. I 
think something more general has to be done than giving me advice about 
what to change in my named.conf. I appreciate the advice for how to fix 
the problem for myself, but I think it needs to be fixed for everyone.
> Have a look at bind's filter-aaaa-on-v4 and deny-answer-addresses options
> which should allow you prevent applications from trying to use IPv6.
Neither of these options are documented in named.conf(5) or 
resolv.conf(5). Is this a problem that is specific to the Fedora 15 
versions of these man pages, or is the documentation distributed with 
BIND out-of-date?

I tried to use the option and I get "is not configured" in my log when 
named starts up and then "parsing failed," so I think my BIND must not 
be compiled with --enable-filter-aaaa, right? That makes it difficult to 
use this solution. Perhaps that's also why it isn't listed in the man page?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3920 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list