On Fri, Mar 14, 2025 at 1:46 AM Janne Johansson <icepic...@gmail.com> wrote: > > > I run isc-bind as both a resolver and an authoritative name server in > > a very simple configuration. > > > > Starting sometime during period I was running in OpeBSD 7.5, after one > > of the updates (syspatch / pkg_add -u) something changed, manifested > > as sporadic lookup failures (SERVFAIL) e.g.,: > > > > $ host anoncvs4.usa.openbsd.org. > > anoncvs4.usa.openbsd.org has address 66.111.2.37 > > anoncvs4.usa.openbsd.org has IPv6 address 2610:1c0:0:5::37 > > > Scratching my head, I started to wonder if isc-bind was trying to use > > ipv6 to send out some of the queries, and then falling back to using > > ipv4. I don't have any ipv6 uplink, nor any actual interfaces > > configured for ipv6. The only ones I see are on lo0. Looking through > > the isc-bind option list in named.conf(5) (so many options!) I > > wondered if "query-source-v6 none;" might be "the drones I'm looking > > for"(tm). Sure enough, it seems to have alleviated all these issues. > > > > A bit of a curious problem, which I thought I would share in case > > anyone else finds themselves in a similar situation. > > > > Since I suspected my uplink to my ISP, I didn't keep track of queries, > > so I can't say definitively, but I do wonder if these issues perhaps > > coincided with OpenBSD deploying ipv6 and ipv6 authoritative servers? > > If you don't have ipv6 on any interface (except lo0), you would not > have routes for ipv6, and hence bind should not even attempt to use > v6. > What does it look like if you ask the routing table for which > interface to use to reach a v6 ip? > > A v6-connected host would say something like this: > > $ route get -inet6 2610:1c0:0:5::37 > route to: 2610:1c0:0:5::37 > destination: :: > mask: :: > gateway: 2a03:6000:6f65:626::1 > [...] > > whereas a v4-only host says: > $ route get -inet6 2610:1c0:0:5::37 > get host 2610:1c0:0:5::37: not in table
$ route get -inet6 2610:1c0:0:5::37 get host 2610:1c0:0:5::37: not in table ISC bind is listening on lo0 interfaces: $ netstat -afinet6 -n | grep \\.53 tcp6 0 0 fe80::1%lo0.53 *.* LISTEN tcp6 0 0 ::1.53 *.* LISTEN udp6 0 0 fe80::1%lo0.53 *.* udp6 0 0 ::1.53 *.* > Still, the bug would be in isc-bind for trying to use v6 when its > trivial to deduce it is not possible to use that protocol. Does seem that way. I am uncertain whether this was introduced in some interim isc-bind version or if this behavior is a consequence of ipv6 NS being deployed. Time permitting I will try to look into this with isc-bind's site/mailing list(s). Cheers, --patrick
