On 07/13/2011 02:13 AM, Mark Andrews wrote:
No. The fix is to correct the nameservers. They are not correctly following the DNS protocol and everything else is a fall out from that.
You're right that everything else is fallout from that.
But that doesn't do me much good, does it? It's my system that keeps getting bogus name resolution errors. It's my RSS feed reader that keeps failing on an hourly basis when the cached records for en.wikipedia.org expire. It's all very well and good to say that the Wikipedia folks and other people with this problem should fix their nameservers -- I totally agree with that -- but it doesn't help me solve my problem /now/.
I'm a real user in the real world with a real problem. Yelling at Wikipedia to fix their DNS servers may feel good, but it doesn't make my DNS work. As far as I and all the other users who are being impacted /now/ by this problem are concerned, it's just pissing into the wind.
Well, all the prodding from people here prompted me to investigate further exactly what's going on. The problem isn't what I thought it was. It appears to be a bug in glibc, and I've filed a bug report and found a workaround.There is no bug in glibc.
To be blunt, that's bullshit.If glibc makes an A query and an AAAA query, and it gets back a valid response to the A query and an invalid response to the AAAA query, then it should ignore the invalid response to the AAAA query and return the valid A response to the user as the IP address for the host.
Please note, furthermore, that as I explained in detail in my bug report and in my last message, glibc behaves differently based on the /order/ in which the two responses are returned by the DNS server. Since there's nothing that says a DNS server has to respond to two queries in the order in which they were received, and that would be an impossible requirement to impose in any case, since the queries and responses are sent via UDP which doesn' guarantee order, it's perfectly clear that glibc needs to be prepared to function the same regardless of the order in which it receives the responses.
What's more, there's plenty of code in the glibc files I spent hours poring over which is clearly an attempt to do exactly that. The people who wrote the code just got it wrong. Which isn't surprising, given how god-awful the code is.
This is not an either/or situation. The broken nameservers should be fixed, /and/ glibc should be fixed to properly handle the case of when it sends two queries and gets back one valid response and one server error in reverse order.
I didn't say there was. You really don't seem to be paying very good attention.In a nutshell, the getaddrinfo function in glibc sends both A and AAAA queries to the DNS server at the same time and then deals with the responses as they come in. Unfortunately, if the responses to the two queries come back in reverse order, /and/ the first one to come back is a server failure, both of which are the case when you try to resolve en.wikipedia.org immediately after restarting your DNS server so nothing is cached, the glibc code screws up and decides it didn't get back a successful response even though it did.There is *nothing* wrong with sending both queries at once.
Do you understand what the word /workaround/ means?
I am aware of that. It is irrelevant, because it is not the problem I am trying to solve. I, and 99.999999% of the users in the world, are /not/ "only ask[ing] for AAAA records." Nobody actually trying to use the internet for day-to-day work is doing that right now, because to say that IPv6 support is not yet ubiquitous would be a laughably momentous understatement.Note your "fix" won't help clients that only ask for AAAA records because it is the authoritative servers that are broken, not the resolver library or the recursive server.
You seem to have a really big chip on your shoulder about people who run broken DNS servers. I don't like them any more than you do. But I learned "Be generous in what you accept and conservative in what you generate" way back when I started playing with the Internet well over two decades ago. It holds up now as well as it did back then, and there's no good reason why it shouldn't apply in this case.
It's clear that this is a religious issue for you. I'm not here to debate religion, I'm here to get help making my DNS work, and to help other people, to whatever extent I can, make /their/ DNS work. If you continue to send religious screeds on this topic while making no effort to actually read and understand what I write, please do not expect me to respond further.
Jonathan Kamens
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
