lame-servers and network unreachable errors

Mark Andrews marka at isc.org
Tue Mar 6 03:14:02 UTC 2012 

The remote zones have IPv6 servers and named believes your machine
has IPv6 connectivity.  It then attempts to connect to the remote
servers and gets back a network error saying that it can't reach
the remote machines.

The long term fix is to request IPv6 connectivity from your ISP.
Short term fixes include:
	* configuring a IPv6 tunnel
	* globally disabling IPv6 as a transport (named -4)
	* using server clauses to selectively disable IPv6 as a
	  transport.
	  server ::/0 { bogus yes; };
	  server fdxx:xxxx:xxxx::/48 { bogus no; };



In message <CAB1R3sj5c9hD+E2Zk=93694iZgpLVq8fGAyefT8OQT5p1DyLng at mail.gmail.com>
, Alex writes:
> Hi,
> 
> I have a fedora15 box with bind-9.8.2 running as master for one zone,
> and having some problems with lame-servers and "network unreachable"
> messages. I believe I understand what a lame-server is, but don't
> understand why there would also be a "network unreachable" message
> attached to it:
> 
> 05-Mar-2012 21:10:54.733 lame-servers: info: error (network
> unreachable) resolving '82.8.193.122.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:2#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns1.iplanisp.com.ar/A/IN': 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns2.iplanisp.com.ar/A/IN': 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns1.iplanisp.com.ar/AAAA/IN':
> 2001:67c:e0::59#53
> 05-Mar-2012 21:11:58.640 lame-servers: info: error (network
> unreachable) resolving 'dns2.iplanisp.com.ar/AAAA/IN':
> 2001:67c:e0::59#53
> 05-Mar-2012 21:11:59.446 lame-servers: info: error (network
> unreachable) resolving '73.113.26.69.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:1#53
> 05-Mar-2012 21:11:59.446 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN':
> 2a02:2278:70eb:199::196:43#53
> 05-Mar-2012 21:11:59.447 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN': 2a01:758:fffc:6::2#53
> 05-Mar-2012 21:11:59.447 lame-servers: info: error (network
> unreachable) resolving 'ns1.mirohost.net/A/IN':
> 2a01:4f8:100:22a6:188:40:253:34#53
> 05-Mar-2012 21:11:59.625 lame-servers: info: error (network
> unreachable) resolving '112.193.69.200.zen.spamhaus.org/A/IN':
> 2001:7b8:3:1f:0:2:53:2#53
> 
> I'm sorry if that isn't very legible. How can I troubleshoot this? It
> isn't every query, but quite a few queries are resulting in this
> unreachable error.
> 
> I've included my named.conf below in hopes someone can point out a
> configuration issue. It contains one master zone; a local spam
> blacklist.
> 
> controls {
>        inet 127.0.0.1 port 953
>                allow { 127.0.0.1; 68.XXX.YYY.45; } keys { "rndc-key"; };
> };
> 
> acl "trusted" {
>         { 127/8; };
>         { 67.XXX.YYY.224/28; };
>         { 67.XXX.YYY.0/26; };
>         { 192.168.1.0/24; };
> };
> 
> options {
> 	listen-on port 53 { 127.0.0.1; 68.XXX.YYY.45; };
> 	listen-on-v6 { none; };
> 	// listen-on-v6 port 53 { ::1; };
> 	directory 	"/var/named";
> 	dump-file 	"/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named.stats";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
> 	allow-query     { localhost; 68.XXX.YYY.45/32; };
> 	recursion yes;
> 	zone-statistics yes;
> 
> 	dnssec-enable yes;
> 	dnssec-validation yes;
> 	dnssec-lookaside auto;
> 
> 	/* Path to ISC DLV key */
> 	bindkeys-file "/etc/named.iscdlv.key";
> 
> 	managed-keys-directory "/var/named/dynamic";
> 
> };
> 
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> 
>         // Record all queries to the box for now
>         channel query_info {
>            severity info;
>            file "/var/log/named.query.log" versions 3 size 10m;
>            print-time yes;
>            print-category yes;
>          };
> 
> 	// added for fail2ban support
> 	channel security_file {
> 	   severity dynamic;
> 	   file "/var/log/named.security.log" versions 3 size 30m;
> 	   print-time yes;
> 	   print-category yes;
> 	};
> 
> 	channel b_debug {
> 		file "/var/log/named.debug.log" versions 2 size 10m;
> 		print-time yes;
> 		print-category yes;
> 		print-severity yes;
> 		severity dynamic;
>         };
> 
>         category queries { query_info; };
>         category default { b_debug; };
>         category config { b_debug; };
> 	category security { security_file; };
> 
> };
> 
> zone "." IN {
> 	type hint;
> 	file "named.ca";
> };
> 
> zone "sbl.example.com" {
>         type slave;
>         file "slaves/db.sbl.example.com";
>         masters { 64.XXX.YYY.5; };
>         allow-transfer { none; };
>         allow-query { trusted; };
> };
> 
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/etc/rndc.key";
> 
> Thanks,
> Alex
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list