lame-servers and network unreachable errors
Mark Andrews
marka at isc.org
Tue Mar 6 03:14:02 UTC 2012
The remote zones have IPv6 servers and named believes your machine
has IPv6 connectivity. It then attempts to connect to the remote
servers and gets back a network error saying that it can't reach
the remote machines.
The long term fix is to request IPv6 connectivity from your ISP.
Short term fixes include:
* configuring a IPv6 tunnel
* globally disabling IPv6 as a transport (named -4)
* using server clauses to selectively disable IPv6 as a
transport.
server ::/0 { bogus yes; };
server fdxx:xxxx:xxxx::/48 { bogus no; };
In message <CAB1R3sj5c9hD+E2Zk=93694iZgpLVq8fGAyefT8OQT5p1DyLng at mail.gmail.com>
, Alex writes:
> Hi,
>
> I have a fedora15 box with bind-9.8.2 running as master for one zone,
> and having some problems with lame-servers and "network unreachable"
> messages. I believe I understand what a lame-server is, but don't
> understand why there would also be a "network unreachable" message
> attached to it:
>
> 05-Mar-2012 21:10:54.733 lame-servers: info: error (network
> unreachable) resolving '82.8.193.122.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:2#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns1.iplanisp.com.ar/A/IN': 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns2.iplanisp.com.ar/A/IN': 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns1.iplanisp.com.ar/AAAA/IN':
> 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns2.iplanisp.com.ar/AAAA/IN':
> 2001:67c:e0::59#53
> 05-Mar-2012 21:11:59.446 lame-servers: info: error (network
> unreachable) resolving '73.113.26.69.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:1#53
> 05-Mar-2012 21:11:59.446 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN':
> 2a02:2278:70eb:199::196:43#53
> 05-Mar-2012 21:11:59.447 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN': 2a01:758:fffc:6::2#53
> 05-Mar-2012 21:11:59.447 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN':
> 2a01:4f8:100:22a6:188:40:253:34#53
> 05-Mar-2012 21:11:59.625 lame-servers: info: error (network
> unreachable) resolving '112.193.69.200.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:2#53
>
> I'm sorry if that isn't very legible. How can I troubleshoot this? It
> isn't every query, but quite a few queries are resulting in this
> unreachable error.
>
> I've included my named.conf below in hopes someone can point out a
> configuration issue. It contains one master zone; a local spam
> blacklist.
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; 68.XXX.YYY.45; } keys { "rndc-key"; };
> };
>
> acl "trusted" {
> { 127/8; };
> { 67.XXX.YYY.224/28; };
> { 67.XXX.YYY.0/26; };
> { 192.168.1.0/24; };
> };
>
> options {
> listen-on port 53 { 127.0.0.1; 68.XXX.YYY.45; };
> listen-on-v6 { none; };
> // listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named.stats";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; 68.XXX.YYY.45/32; };
> recursion yes;
> zone-statistics yes;
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
>
> // Record all queries to the box for now
> channel query_info {
> severity info;
> file "/var/log/named.query.log" versions 3 size 10m;
> print-time yes;
> print-category yes;
> };
>
> // added for fail2ban support
> channel security_file {
> severity dynamic;
> file "/var/log/named.security.log" versions 3 size 30m;
> print-time yes;
> print-category yes;
> };
>
> channel b_debug {
> file "/var/log/named.debug.log" versions 2 size 10m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity dynamic;
> };
>
> category queries { query_info; };
> category default { b_debug; };
> category config { b_debug; };
> category security { security_file; };
>
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "sbl.example.com" {
> type slave;
> file "slaves/db.sbl.example.com";
> masters { 64.XXX.YYY.5; };
> allow-transfer { none; };
> allow-query { trusted; };
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/etc/rndc.key";
>
> Thanks,
> Alex
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list