So the question seems to come down to: "why does Google's name server not return the AAAA when I query it from some IPs?"
============================== dig +norecurse AAAA ghs.l.google.com @ns1.google.com ; <<>> DiG 9.7.3 <<>> +norecurse AAAA ghs.l.google.com @ns1.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55349 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ghs.l.google.com. IN AAAA ;; AUTHORITY SECTION: l.google.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 1577101 900 900 1800 60 ;; Query time: 30 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Tue Dec 23 21:29:53 2014 ;; MSG SIZE rcvd: 84 ============================== Frank -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, December 23, 2014 6:38 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: Unable to get AAAA for www.revk.uk from some of our servers In message <001e01d01f0e$980b6070$c8222150$@iname.com>, "Frank Bulk" writes: > Thanks, Mark. > > When I queried for the AAAA of ghs.l.google.com from ns[1-4].google.com the > Google servers reported they don't do recursive queries. Why would you expect them to offer recursion? They don't need to for the role they are performing. > Which Google namserver does in fact carry the authoritative records > for ghs.l.google.com? l.google.com. 86400 IN NS ns3.google.com. l.google.com. 86400 IN NS ns1.google.com. l.google.com. 86400 IN NS ns4.google.com. l.google.com. 86400 IN NS ns2.google.com. > On a side note, I thought that Google's DNS servers were dual-stacked, but > that does not seem to be the case. None of the ns[1-4].google.com servers > return an AAAA for me. When I query the IPv6 interface of our recursive DNS > servers using "dig AAAA ghs.l.google.com +trace @[IPv6_address]" they all > return "connection timed out; no servers could be reached. Here's an > example: Google hasn't yet made their DNS servers dual stacked though lots of their other servers are dual stacked. It would be nice of them to do so as it is forcing clients behind IPv6 only connections to use transition mechanisms to get to the legacy IPv4 only servers. > ============================================ > DNS server: 2607:fe28:0:1000::8 > > ; <<>> DiG 9.7.3 <<>> -6 AAAA ghs.l.google.com +trace @2607:fe28:0:1000::8 > ;; global options: +cmd > . 420917 IN NS c.root-servers.net. > . 420917 IN NS k.root-servers.net. > . 420917 IN NS f.root-servers.net. > . 420917 IN NS b.root-servers.net. > . 420917 IN NS g.root-servers.net. > . 420917 IN NS a.root-servers.net. > . 420917 IN NS d.root-servers.net. > . 420917 IN NS j.root-servers.net. > . 420917 IN NS i.root-servers.net. > . 420917 IN NS h.root-servers.net. > . 420917 IN NS l.root-servers.net. > . 420917 IN NS e.root-servers.net. > . 420917 IN NS m.root-servers.net. > ;; Received 496 bytes from 2607:fe28:0:1000::8#53(2607:fe28:0:1000::8) in 0 > ms > > com. 172800 IN NS e.gtld-servers.net. > com. 172800 IN NS f.gtld-servers.net. > com. 172800 IN NS k.gtld-servers.net. > com. 172800 IN NS a.gtld-servers.net. > com. 172800 IN NS l.gtld-servers.net. > com. 172800 IN NS i.gtld-servers.net. > com. 172800 IN NS g.gtld-servers.net. > com. 172800 IN NS b.gtld-servers.net. > com. 172800 IN NS h.gtld-servers.net. > com. 172800 IN NS d.gtld-servers.net. > com. 172800 IN NS c.gtld-servers.net. > com. 172800 IN NS j.gtld-servers.net. > com. 172800 IN NS m.gtld-servers.net. > ;; Received 506 bytes from 2001:7fe::53#53(i.root-servers.net) in 113 ms > > google.com. 172800 IN NS ns2.google.com. > google.com. 172800 IN NS ns1.google.com. > google.com. 172800 IN NS ns3.google.com. > google.com. 172800 IN NS ns4.google.com. > ;; Received 170 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 150 > ms > > ;; connection timed out; no servers could be reached > ============================================ > > -----Original Message----- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Tuesday, December 23, 2014 6:01 PM > To: Frank Bulk > Cc: bind-us...@isc.org > Subject: Re: Unable to get AAAA for www.revk.uk from some of our servers > > > In message <001301d01f06$aa1c7180$fe555480$@iname.com>, "Frank Bulk" writes: > > I dumped the database of one failing server and found this entry: > > > > ; authauthority > > ghs.l.google.com. 331 \-AAAA ;-$NXRRSET > > ; l.google.com. SOA ns4.google.com. dns-admin.google.com. 1577084 900 900 > > 1800 60 > > ; authanswer > > 289 A 74.125.201.121 > > ; > > > > What does the "\-AAAA ;-$NXRRSET" mean? > > It means that there is a negative cache entry for AAAA lookup. The > SOA record that will be returned is in the comment. For responses > from signed zones you will also see NSEC / NSEC3 records in the > comments as well as RRSIG. > > NXRRSET (No Such RRset). > NXDOMAIN (No Such Domain). > > > Working server shows this in the dump: > > ; authanswer > > ghs.l.google.com. 287 AAAA 2607:f8b0:4001:c08::79 > > ; > > > > Regards, > > > > Frank Bulk > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
