wiskbr...@hotmail.com wrote:
> Hello;
>
> I have two "DMZ" BIND/DNS servers running whose purpose is to allow
> lookups via them from my otherwise incapable internal network.
>
> I've recently upgraded only one of them from BIND 9.5.0-P2 to BIND
> 9.5.1-P1. Both servers are running Sparc/Solaris 9.
>
> Upon upgrading one to BIND 9.5.0-P2, which was in an effort to
> resolve failed lookups for .gov sites, I found that the server was
> now attempting to resolve using IPv6 style addresses. I am not
> able to find any such attempts in the past at all from either
> server (See messages from BIND 9.5.1-P1 server below).
>
> I've installed a newer db.root file by running dig then saving the
> output to db.root. The newer file contained IPv6 style entries,
> which I've manually removed (about the same time attempts ceased)
This isn't going to make a difference. Even if the root server
addresses were not already in the named binary, the first thing a
resolving name server does when it starts up is to get an updated copy
of the information from the root servers themselves.
> I've also tried to force any attempts at using IPv6 and what appear
> to be issues resolving .gov domains in my named.conf like this:
>
> options { edns-udp-size 512; max-udp-size 512;
Those two options are not good. EDNS exists for a reason.
> listen-on-v6 {
> none; }; };
That's not going to do what you want. You want to start named with the
-4 option. (Although a better option would be to get working IPv6.) :)
> logging { category lame-servers {null;}; category edns-disabled
> {null;}; };
>
>
> The issues that I was seeing with .gov sites resulted in this type
> of error in my logfile:
>
> Jan 22 11:24:56 NS1 named[7678]: [ID 873579 daemon.info] too many
> timeouts resolving 'www.fdic.gov/A' (in 'www.fdic.gov'?): disabling
> EDNS
This problem isn't caused by IPv6, fdic.gov has no name servers with
IPv6 addresses. This looks more like a firewall problem on your end.
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> unreachable resolving
> 'ADNS1.BERKELEY.EDU/AAAA/IN':2001:500:2f::f#53
This is odd. The IP address listed is for f-root. That adns1 name
server does have an IPv6 address, but for some reason that address is
not listed in the root zone file (currently).
> Jan 22 16:05:08 NS1 named[7678]: [ID 873579 daemon.info] network
> unreachable resolving 'ADNS2.BERKELEY.EDU/A/IN': 2001:500:2f::f#53
Same here.
Doug
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
