Yeah, it's hard to disagree on the "should" part but we all definitely have to
administer networks in an imperfect world... To my mind, when there's zero ipv6
connectivity beyond the LAN, it would be handy to not ask the firewall to
create 3x more TCP connections that it can never complete, and/or have it send
unreachables for all of them, especially on a larger network, so I would
suggest that even if it is "wrong," filter-aaaa-on-v4 is probably still
"helpful" in some situations, particularly where v6 is not available. The
network that I originally posted about is small, but I administer a number of
larger ones and this has been very eye-opening, so I do thank you all for your
contributions to the conversation.
It looks like I'd have to compile the filter plugin separately on Windows since
it's not already integrated, and I don't see a dll or exe for it in the bin
folder... That's all right though; I'm just glad to have the query times be so
much quicker now!
In case it's useful for anyone to know, I did just now try running named with
the -4 option, taking out the server ::/0 { bogus yes; }; and it still has the
same delay problem, so it appears that even with -4 it's still trying to do
something on v6 that it shouldn't be doing. So, server ::/0 { bogus yes; }; is
still the fix... at least on Windows, anyway. Many thanks again to all of you
for the insightful responses.
-Steve
-----Original Message-----
From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Mark Andrews
Sent: Monday, January 20, 2020 1:45 AM
To: Lee
Cc: Ondrej Sury
Subject: Re: Slow recursive query performance on Windows x64
Devices should return ICMP unreachables when networks are not reachable. This
allows applications to move onto the next address. Not returning unreachables
results in timeouts being the mechanism to move to the next address.
Additionally applications can make parallel connection attempts. This works
particularly well for TCP and is what Happy Eyeballs does with a slight delay
(sub second) between each different address. Once a TCP connection succeeds the
other connection attempts are aborted. Too many developers have coped out on
providing fast multi-homing support. It usually only takes small while to
convert a application from serial connection attempts to parallel connection
attempts to the addresses returned from getaddrinfo(). What s more work is
adding MIF (multiple interface) support which allows you to try different
source addresses as well.
Mark
> On 20 Jan 2020, at 17:16, Lee <ler...@gmail.com> wrote:
>
> On 1/20/20, Ondrej Sur <ond...@isc.org> wrote:
>>
>> Please note that filter-aaaa-on-v4 was always wrong.
>
> how so?
>
>> You should fix your network instead. It s a bandaid, not a fix.
>
> My ISP doesn't offer ipv6, so I'm not sure how to fix my network..
> unless you mean disable ipv6 on everything? (which I'm not sure is
> even possible)
>
> Lee
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
