On 7/11/2011 3:10 PM, Tony Finch wrote:
There are people reporting all over the net that they're getting tons of messages like this in their logs with recent BIND versions:Jonathan Kamens<j...@kamens.us> wrote:I said above that the problem is exacerbated by the fact that many DNS servers don't yet support IPV6 queries. This is because the AAAA queries don't get NXDOMAIN responses, which would be cached, but rather FORMERR responses, which are not cached. As a result, the scenario describes above happens much more frequently because the DNS server has to redo the AAAA queries often.Your upstream resolver is broken if it returns FORMERR responses to AAAA queries. The behaviour you describe is not normal.
Jul 11 12:00:06 jik2 named[31354]: error (FORMERR) resolving 'en.wikipedia.org/AAAA/IN': 208.80.152.130#53
I've got 397 of them in my logs for just the last 24 hours.I'm aware that this means the upstream DNS server is broken; isn't what what I said, i.e., that it isn't responding properly to AAAA queries?
The problem is that I have no control over the upstream resolver. All I have control over is my own name server.
I am not the only one who is going to encounter this problem. I've found several reports of it on the net with a minimal amount of searching. I think something more general has to be done than giving me advice about what to change in my named.conf. I appreciate the advice for how to fix the problem for myself, but I think it needs to be fixed for everyone.
Neither of these options are documented in named.conf(5) or resolv.conf(5). Is this a problem that is specific to the Fedora 15 versions of these man pages, or is the documentation distributed with BIND out-of-date?Have a look at bind's filter-aaaa-on-v4 and deny-answer-addresses options which should allow you prevent applications from trying to use IPv6.
I tried to use the option and I get "is not configured" in my log when named starts up and then "parsing failed," so I think my BIND must not be compiled with --enable-filter-aaaa, right? That makes it difficult to use this solution. Perhaps that's also why it isn't listed in the man page?
jik
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
