Hi folks, This is a "problem was / solution I found is" type of a post. Feel free to ignore if the topic is not of interest.
I run isc-bind as both a resolver and an authoritative name server in a very simple configuration. Starting sometime during period I was running in OpeBSD 7.5, after one of the updates (syspatch / pkg_add -u) something changed, manifested as sporadic lookup failures (SERVFAIL) e.g.,: $ host anoncvs4.usa.openbsd.org. anoncvs4.usa.openbsd.org has address 66.111.2.37 anoncvs4.usa.openbsd.org has IPv6 address 2610:1c0:0:5::37 Host anoncvs4.usa.openbsd.org not found: 2(SERVFAIL) Initially, I attributed this flaky behavior with the uplink to my ISP. In trying to gather info for reporting to my ISP, I was unable to capture any specific problem when watching the request and responses via tcpdump. This made me think the problem possibly had to do with query/response timeouts. The problem persisted after upgrading to 7.6, and possibly got a bit worse, where the spamd fetch would fail with "no route to host". Scratching my head, I started to wonder if isc-bind was trying to use ipv6 to send out some of the queries, and then falling back to using ipv4. I don't have any ipv6 uplink, nor any actual interfaces configured for ipv6. The only ones I see are on lo0. Looking through the isc-bind option list in named.conf(5) (so many options!) I wondered if "query-source-v6 none;" might be "the drones I'm looking for"(tm). Sure enough, it seems to have alleviated all these issues. A bit of a curious problem, which I thought I would share in case anyone else finds themselves in a similar situation. Since I suspected my uplink to my ISP, I didn't keep track of queries, so I can't say definitively, but I do wonder if these issues perhaps coincided with OpenBSD deploying ipv6 and ipv6 authoritative servers? Hope someone finds this amusing or somehow helpful. --patrick
