v6-bias
Hello! I couldn't find anything else than https://kb.isc.org/docs/aa-01349 for v6-bias. Is that still relevant for current versions? Is there a reason that option isn't described in the normal documentation? I've set it to 200ms and I still see outgoing queries to IPv4 destinations that are reachable via IPv6 and have a latency under 20 ms. -- kind regards Marco -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: v6-bias
> On 18 Aug 2024, at 20:32, Marco Moock wrote: > > Hello! > > I couldn't find anything else than https://kb.isc.org/docs/aa-01349 > for v6-bias. > > Is that still relevant for current versions? Yes. > Is there a reason that option isn't described in the normal > documentation? It is. Go to the product page. Look at panel 3 “Configuration". Click on "Administrator Reference Manual (ARM)” then enter “v6-bias” in the search box. > I've set it to 200ms and I still see outgoing queries to IPv4 > destinations that are reachable via IPv6 and have a latency under 20 ms. Named uses smooth measured RTT which means it still has to occasionally talk to servers over IPv4 to measure the RTT. Additionally lots of zones don’t publish IPv6 glue records. The default is 50ms bias. > -- > kind regards > Marco > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: v6-bias
Am 18.08.2024 um 23:44:26 Uhr schrieb Mark Andrews: > > On 18 Aug 2024, at 20:32, Marco Moock wrote: > It is. Go to the product page. Look at panel 3 “Configuration". > Click on "Administrator Reference Manual (ARM)” then enter “v6-bias” > in the search box. https://bind9.readthedocs.io/en/v9.18.28/reference.html#namedconf-statement-v6-bias As I searched on isc.org, I couldn't find it. > > I've set it to 200ms and I still see outgoing queries to IPv4 > > destinations that are reachable via IPv6 and have a latency under > > 20 ms. > > Named uses smooth measured RTT which means it still has to > occasionally talk to servers over IPv4 to measure the RTT. Can that be disabled, so IPv4 fallback will only be used when IPv6 query takes longer than the time set in v6-bias? -- kind regards Marco Send unsolicited bulk mail to 1724017466mu...@cartoonies.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
I want to know why I suddenly can't resolve names.
This will be my first email. Sorry for any rough edges. ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve the domain name on August 2, 2024. It automatically recovered after a while. The following message was recorded in the logs I want to know why I suddenly can't resolve names. logs:: log1: validating @0x: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=xxx): RRSIG has expired log2: validating @0x: domain.example.com A: bad cache hit ( domain.example.com.dlv.isc.org/DLV) timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: 2024.08.02 05:06:06 (JST) env:: CentOS release 6.4 (Final) BIND version: bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / named Considerations:: There were no other physical or internal OS failures. From the fact that the recovery was automatic, I am guessing that there was a failure or maintenance in the dlv repository for verification. If you have any other information related to the cause of the problem, we would appreciate it if you could share it with us. Discussion:: I know that “Look aside validation” has already been discontinued, but I have a question to isolate the cause. I would like to know why “Look aside validation” has already been discontinued, yet the system usually operates without problems. There were no other physical or internal OS failures. The system recovered automatically. I am guessing that it was caused by the dlv repository for validation. If anyone has any other information relate -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I want to know why I suddenly can't resolve names.
I will repeat what I said before when you logged this as a bug. Stop using look aside validation. The service has been turned off for 7 years now. The only thing there is a empty zone that is returning NXDOMAIN for every lookup other than the apex which only has SOA, NS, NSEC and RRSIG records. There are no DLV records there to lookup. https://kb.isc.org/docs/disable-dnssec-lookaside-dlv-now-heres-how Also I am not going to ask operations what happened 2 weeks ago to cause the signature to be momentarily bad. Mark > On 19 Aug 2024, at 10:51, 秋林峻祐 wrote: > > This will be my first email. Sorry for any rough edges. > ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve > the domain name on August 2, 2024. It automatically recovered after a while. > The following message was recorded in the logs > I want to know why I suddenly can't resolve names. > logs:: > log1: validating @0x: dlv.isc.org DNSKEY: verify failed due > to bad signature (keyid=xxx): RRSIG has expired > log2: validating @0x: domain.example.com A: bad cache hit > (domain.example.com.dlv.isc.org/DLV) > timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: > 2024.08.02 05:06:06 (JST) > env:: CentOS release 6.4 (Final) BIND version: > bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / named > Considerations:: There were no other physical or internal OS failures. From > the fact that the recovery was automatic, I am guessing that there was a > failure or maintenance in the dlv repository for verification. If you have > any other information related to the cause of the problem, we would > appreciate it if you could share it with us. > Discussion:: > I know that “Look aside validation” has already been discontinued, but I have > a question to isolate the cause. > I would like to know why “Look aside validation” has already been > discontinued, yet the system usually operates without problems. > There were no other physical or internal OS failures. > The system recovered automatically. > I am guessing that it was caused by the dlv repository for validation. > If anyone has any other information relate > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I want to know why I suddenly can't resolve names.
Since you are asking for a cause.The cause is that you failed to follow operational advice and kept using DLV after it has been discontinued. This is entirely on you.ISC is keeping dlv.isc.org operational only as a courtesy, and there is absolutely no SLA.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 19. 8. 2024, at 2:51, 秋林峻祐 wrote:This will be my first email. Sorry for any rough edges.ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve the domain name on August 2, 2024. It automatically recovered after a while. The following message was recorded in the logsI want to know why I suddenly can't resolve names.logs::log1: validating @0x: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=xxx): RRSIG has expiredlog2: validating @0x: domain.example.com A: bad cache hit (domain.example.com.dlv.isc.org/DLV)timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: 2024.08.02 05:06:06 (JST)env:: CentOS release 6.4 (Final) BIND version: bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / namedConsiderations:: There were no other physical or internal OS failures. From the fact that the recovery was automatic, I am guessing that there was a failure or maintenance in the dlv repository for verification. If you have any other information related to the cause of the problem, we would appreciate it if you could share it with us.Discussion::I know that “Look aside validation” has already been discontinued, but I have a question to isolate the cause.I would like to know why “Look aside validation” has already been discontinued, yet the system usually operates without problems.There were no other physical or internal OS failures.The system recovered automatically.I am guessing that it was caused by the dlv repository for validation.If anyone has any other information relate -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I want to know why I suddenly can't resolve names.
Additionally, you fail to run supported version of BIND 9.Support for DLV had been removed from BIND 9.16.0 and even BIND 9.16 had reached end-of-life as of this year (after four and something years of support).Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 19. 8. 2024, at 5:56, Ondřej Surý wrote:Since you are asking for a cause.The cause is that you failed to follow operational advice and kept using DLV after it has been discontinued. This is entirely on you.ISC is keeping dlv.isc.org operational only as a courtesy, and there is absolutely no SLA.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 19. 8. 2024, at 2:51, 秋林峻祐 wrote:This will be my first email. Sorry for any rough edges.ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve the domain name on August 2, 2024. It automatically recovered after a while. The following message was recorded in the logsI want to know why I suddenly can't resolve names.logs::log1: validating @0x: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=xxx): RRSIG has expiredlog2: validating @0x: domain.example.com A: bad cache hit (domain.example.com.dlv.isc.org/DLV)timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: 2024.08.02 05:06:06 (JST)env:: CentOS release 6.4 (Final) BIND version: bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: /group:root / namedConsiderations:: There were no other physical or internal OS failures. From the fact that the recovery was automatic, I am guessing that there was a failure or maintenance in the dlv repository for verification. If you have any other information related to the cause of the problem, we would appreciate it if you could share it with us.Discussion::I know that “Look aside validation” has already been discontinued, but I have a question to isolate the cause.I would like to know why “Look aside validation” has already been discontinued, yet the system usually operates without problems.There were no other physical or internal OS failures.The system recovered automatically.I am guessing that it was caused by the dlv repository for validation.If anyone has any other information relate -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-users@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: v6-bias
> On 19 Aug 2024, at 00:59, Marco Moock wrote: > > Am 18.08.2024 um 23:44:26 Uhr schrieb Mark Andrews: > >>> On 18 Aug 2024, at 20:32, Marco Moock wrote: > >> It is. Go to the product page. Look at panel 3 “Configuration". >> Click on "Administrator Reference Manual (ARM)” then enter “v6-bias” >> in the search box. > > https://bind9.readthedocs.io/en/v9.18.28/reference.html#namedconf-statement-v6-bias > > As I searched on isc.org, I couldn't find it. > >>> I've set it to 200ms and I still see outgoing queries to IPv4 >>> destinations that are reachable via IPv6 and have a latency under >>> 20 ms. >> >> Named uses smooth measured RTT which means it still has to >> occasionally talk to servers over IPv4 to measure the RTT. > > Can that be disabled, so IPv4 fallback will only be used when IPv6 > query takes longer than the time set in v6-bias? It “doesn’t fall back to IPv4”. It sorts all the known server addresses for the zone adding v6-bias to the srtt of the IPv4 servers to order them. These are then tried in order using the actual srtt for the query timeout to move to the next server. 'rndc dumpdb' will allow you to see the srtt of the servers. > -- > kind regards > Marco > > Send unsolicited bulk mail to 1724017466mu...@cartoonies.org > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I want to know why I suddenly can't resolve names.
Thank you for your reply. As you said, there is absolutely no negligence on the part of ISC in this case and it is our responsibility. I am contacting you to assist you in isolating the incident. In the past (2020), when similar expiration problems occurred, a notice was given by bind-user, stating that they would prevent the problem from recurring. The year 2020 is already the year that dlv is no longer recommended, as it is now. So I just wanted to know if there was a similar case this time. Again, I know that the fault is not with dlv and that we are at fault. Just trying to gather information if possible. 2024年8月19日(月) 13:23 Ondřej Surý : > Additionally, you fail to run supported version of BIND 9. > > Support for DLV had been removed from BIND 9.16.0 and even BIND 9.16 had > reached end-of-life as of this year (after four and something years of > support). > > Ondrej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 19. 8. 2024, at 5:56, Ondřej Surý wrote: > > Since you are asking for a cause. > > The cause is that you failed to follow operational advice and kept using > DLV after it has been discontinued. This is entirely on you. > > ISC is keeping dlv.isc.org operational only as a courtesy, and there is > absolutely no SLA. > > Ondrej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > On 19. 8. 2024, at 2:51, 秋林峻祐 wrote: > > > > This will be my first email. Sorry for any rough edges. > > ISSUE:: I am using a DNS server in Japan. The DNS server failed to resolve > the domain name on August 2, 2024. It automatically recovered after a > while. The following message was recorded in the logs > > I want to know why I suddenly can't resolve names. > > logs:: > > log1: validating @0x: dlv.isc.org DNSKEY: verify failed > due to bad signature (keyid=xxx): RRSIG has expired > > log2: validating @0x: domain.example.com A: bad cache hit > (domain.example.com.dlv.isc.org/DLV) > > timestamp:: Failure date: 2024.08.02 00:39:30 (JST) Failure recovery date: > 2024.08.02 05:06:06 (JST) > > env:: CentOS release 6.4 > (Final) BIND version: bind-9.8.2-0.68.rc1.el6_10.8.x86_64 Execution user: > /group:root / named > > Considerations:: There were no other physical or internal OS failures. > From the fact that the recovery was automatic, I am guessing that there was > a failure or maintenance in the dlv repository for verification. If you > have any other information related to the cause of the problem, we would > appreciate it if you could share it with us. > > Discussion:: > I know that “Look aside validation” has already been discontinued, but I > have a question to isolate the cause. > I would like to know why “Look aside validation” has already been > discontinued, yet the system usually operates without problems. > There were no other physical or internal OS failures. > The system recovered automatically. > I am guessing that it was caused by the dlv repository for validation. > If anyone has any other information relate > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I want to know why I suddenly can't resolve names.
Ok, let me state that clearly again. There is no guarantee that dlv.isc.org will be operational in the next second, next minute, next day, next month or next year. Stop using it right now, we are not going to send any notices because you failed to act. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 19. 8. 2024, at 7:22, 秋林峻祐 wrote: > > In the past (2020), when similar expiration problems occurred, a notice was > given by bind-user, stating that they would prevent the problem from > recurring. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
