<div dir="ltr"><div><div>We have this configured on our server<br><br>server ::/0 { bogus yes; }; <br><br></div>Just recently noticed the config above can actually cause problems to resolve hostnames. It works if hostname and the nameserver hosted it are on same TLD, for example <a href="http://isc.org">isc.org</a>'s nameserver are all on <a href="http://isc.org">isc.org</a> domain so server doesn't need to make extra trip to get nameserver IP. But if the hostname and nameservers are on different TLD like <a href="http://org.org">org.org</a>(hosted by <a href="http://gandi.net">gandi.net</a>), <a href="http://mit.edu">mit.edu</a>(hosted by <a href="http://akam.net">akam.net</a>), trying to resolve those names can cause random ServFail. <br><br></div><div>For example to resolve <a href="http://org.org">org.org</a>, our nameserver sends separate A/AAAA query for each NS of <a href="http://org.org">org.org</a>(a|b|<a href="http://c.dns.gandi.net">c.dns.gandi.net</a>), if gandi's nameserver returns AAAA query to our nameserver first, our nameserver immediately sends back 'ServFail' to client. <br><br>Here are relevant tcpdumps, 192.168.2.1 is our nameserver IP, immediately after got "AAAA 2001:4b98:abcb::1", 192.168.2.1sends ServFail to client 10.0.2.1. Can someone help explain why??<br><br>Server is linux with private IPv6 and public IPv4, bind-9.9.9-P2, also tried
on server with only IPv4 stack but not running with '-4', same problem. <br><br>21:50:06.241074 IP 192.168.2.1.40214 > 217.70.177.45.53: 39763% [1au] AAAA? <a href="http://b.dns.gandi.net">b.dns.gandi.net</a>. (44)<br>21:50:06.244717 IP 192.33.14.30.53 > 192.168.2.1.36814: 47777- 0/9/9 (788)<br>21:50:06.244828 IP 192.33.14.30.53 > 192.168.2.1.21146: 51773- 0/9/9 (788)<br>21:50:06.244949 IP 192.168.2.1.44748 > 217.70.177.45.53: 58879% [1au] A? <a href="http://c.dns.gandi.net">c.dns.gandi.net</a>. (44)<br>21:50:06.245028 IP 192.168.2.1.31154 > 217.70.177.45.53: 20056% [1au] AAAA? <a href="http://a.dns.gandi.net">a.dns.gandi.net</a>. (44)<br>21:50:06.245312 IP 192.33.14.30.53 > 192.168.2.1.52630: 45706- 0/9/9 (788)<br>21:50:06.245323 IP 192.33.14.30.53 > 192.168.2.1.24836: 29881- 0/9/9 (788)<br>21:50:06.245367 IP 192.33.14.30.53 > 192.168.2.1.41506: 55177- 0/9/9 (788)<br>21:50:06.245482 IP 192.168.2.1.33406 > 217.70.177.45.53: 60412% [1au] AAAA? <a href="http://c.dns.gandi.net">c.dns.gandi.net</a>. (44)<br>21:50:06.245488 IP 192.168.2.1.7636 > 217.70.177.45.53: 56644% [1au] A? <a href="http://b.dns.gandi.net">b.dns.gandi.net</a>. (44)<br>21:50:06.245723 IP 192.168.2.1.52639 > 217.70.177.45.53: 50741% [1au] A? <a href="http://a.dns.gandi.net">a.dns.gandi.net</a>. (44)<br>21:50:06.351604 IP 217.70.177.45.53 > 192.168.2.1.40214: 39763*- 1/5/10 AAAA 2001:4b98:abcb::1 (359)<br>21:50:06.352037 IP 192.168.2.1.53 > 10.0.2.1.57356: 57631 ServFail 0/0/1 (36)<br><br></div><div>Thanks!<br></div><div>Hillary<br></div><div><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 21, 2016 at 9:55 PM, Warren Kumari <span dir="ltr"><<a href="mailto:warren@kumari.net" target="_blank">warren@kumari.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br>On Tuesday, June 21, 2016, Mark Andrews <<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
server ::/0 { bogus yes; };</blockquote><div><br></div>Eeeeeeeeww<span></span>! That's gross, but in a bizarrely satisfying way.<div><br></div><div>W<br><div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
In message <<a>CAJS9+<wbr>YbY3VL3kEhtJMt58eKQrF6QazfvT3k<wbr>HVy05q26LMPTmkg@mail.gmail.com</a><wbr>>, Hillary Nelson writes:<br>
> We are moving our v6 DNS from F5 to anycast, since F5 can translate address<br>
> from v6 to v4, our backend servers are still only v4 and we never have<br>
> problem to resolve hostname with v4 only.<br>
><br>
> Now for anycast, I want to enable v6 with private address only, but seems<br>
> like named favors v6 and using it to source query other nameserver, it will<br>
> try v4 if v6 fails, like this(I've configured source-query-v6 address ::1<br>
> so v6 always fails):<br>
><br>
> 21:04:33.303536 IP6 ::1.34892 > 2001:dcd:1::7.53: 33940% [1au] A?<br>
> <a href="http://example.com" target="_blank">example.com</a>. (48)<br>
> 21:04:34.146521 IP 1.1.1.1.58822 > <a href="http://2.2.2.2" target="_blank">2.2.2.2</a>: 55501% [1au] A? <a href="http://example.com" target="_blank">example.com</a>.<br>
> (48)<br>
><br>
><br>
> My question is how to config named to only using v4 address to query other<br>
> nameserver, but still keep an listening v6 address?<br>
><br>
> Thanks in advance!!<br>
> Hillary<br>
><br>
--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742" target="_blank">+61 2 9871 4742</a> INTERNET: <a>marka@isc.org</a><br></span>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a>bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><span class="HOEnZb"><font color="#888888"><br>
</font></span></blockquote></div></div><span class="HOEnZb"><font color="#888888"><br><br>-- <br>I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf<br>
</font></span></blockquote></div><br></div>