Hi all,
first off: I do not have IPv6 physical connectivity yet, but I would like to run a nameserver nevertheless. Sadly, it seems that without IPv6 connectivity, half of the queries fail, in a random fashion. There is no clue in the logfile about any reason for this behaviour, only so much as: client: error: query client=0x80db45160 thread=0x80125ba00(pole.daemon.contact/A): query_gotanswer: unexpected error: SERVFAIL query-errors: info: client @0x80db45160 192.168.98.10#17919 (pole.daemon.contact): view intra: query failed (SERVFAIL) for pole.daemon.contact/IN/A at query.c:7376 Increasing the debug level does not give me more insight. The failure happens randomly, half of the time. (Only after 'rndc flush', obviousely, so it went undetected at first, taken for a network hiccup.) I finally resorted to full dnstap logging, and walked myself thru the whole orgy of recursive resolving. The outcome: This name in question, pole.daemon.contact, has four nameservers, each of them has two IPv4 and one IPv6 addresses. In the cases when the query is successful, the recursion happens just as we would expect it: at some point an IP address for one of the four nameservers is obtained, then from that IP address the desired A record is queried and obtained, and after a bit more of validation stuff (probably DNSSEC) the client gets the proper answer. In the cases when the query yields SERVFAIL, the difference is that the first arriving answer for one of the nameserver's addresses is an answer to an AAAA query, not an A query (as mentioned, ther are four possible nameservers, and each has A and AAAA records). At that point the client is sent NXDOMAIN, disregarding that the other (A and AAAA) records are just at that moment being received. So the query is fail, and the service is outage, and it is bad. The problem appears on different machines, all running FreeBSD 12.2 and BIND 9.16.18. I tried to use this recommendation, https://kb.isc.org/docs/aa-00206, marking all IPv6 addrs as bogus, but it does not make a difference in behaviour. Is there any means to tell named that we just don't have IPv6 connections yet (which actually should be obvious because there is not IPv6 address on the interfaces, except for lo0)? I know I can use -4 cmdline option, but that disables everything, while I would rather like to slowly and tentatively enter IPv6 (but on my pace, and not forced by a named insisting in all-or-nothing). I would rather like named to continue and try the other seven address options, and not just NXDOMAIN rightaway. rgds, PMc _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
