[dns-operations] resolv.conf and resolving IPv6-only domains/NSes

Frank Bulk frnkblk at iname.com
Thu Nov 4 19:33:15 UTC 2010


Matt:

Thanks for testing this so extensively.  I will bring this to the attention
of ISC.

Frank

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net
[mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Matt
Thompson
Sent: Wednesday, November 03, 2010 10:28 PM
To: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] resolv.conf and resolving IPv6-only
domains/NSes

On 10-11-03 10:16 PM, Frank Bulk wrote:
> Holger:
>
> The Debian box is not IPv6 only.
>
> I had presumed (incorrectly) that I could list a bunch of DNS servers
(IPv4
> and IPv6-only) in resolv.conf and the IP stack would handle SERVFAIL
> gracefully and move on to the next one.  Apparently that's not the case,
> which is why your recommendation that all the servers listed in
resolv.conf
> be dual-stack is a good idea.
Hi Frank,

It seems that glibc getaddrinfo() does fail to the second DNS server if 
the first one is not dual stack in your resolv.conf. It's up to glibc or 
other stub resolver code to handle SERVFAIL. The IP stack itself has no 
knowledge of DNS.

My resolv.conf has:
nameserver 4.2.2.5                # Not dual stack
nameserver 192.168.12.1        # Dual stack

This test program demonstrates that it does fail over to the dual stack 
nameserver:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <string.h>

const char *query = "onlyv6.com";

int main(int argc, char **argv)
{
     struct addrinfo hints;
     struct addrinfo *result;
     char addrbuf[INET6_ADDRSTRLEN];

     int ret;

     memset(&hints, 0, sizeof(struct addrinfo));
     hints.ai_family = AF_UNSPEC; /** IPv4 or IPv6 */
     hints.ai_socktype = SOCK_DGRAM;

     ret = getaddrinfo(query, NULL, &hints, &result);
     if(ret != 0)
     {
         fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
         return(EXIT_FAILURE);
     }

     while(result)
     {

         inet_ntop(result->ai_family, result->ai_addr->sa_data + 2, 
addrbuf, sizeof(addrbuf));
         printf("Result: %s\n", addrbuf);
         result = result->ai_next;
     }
     return(EXIT_SUCCESS);
}

Here's the output from the program:

matt at desk:~$ ./testv6
Result: ::2607:f118:8c0:800:0:0


Dig implements its own stub resolver and doesn't failover on SERVFAIL:

matt at desk:~$ dig onlyv6.com

; <<>> DiG 9.7.1-P2 <<>> onlyv6.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41092
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;onlyv6.com.            IN    A

;; Query time: 56 msec
;; SERVER: 4.2.2.5#53(4.2.2.5)
;; WHEN: Wed Nov  3 23:09:17 2010
;; MSG SIZE  rcvd: 28

nslookup does failover:

matt at desk:~$ nslookup -type=AAAA onlyv6.com
;; Got SERVFAIL reply from 4.2.2.5, trying next server
Server:        192.168.12.1
Address:    192.168.12.1#53

Non-authoritative answer:
onlyv6.com    has AAAA address 2607:f118:8c0:800::64


Cheers,
Matt Thompson
HexWave Software Systems

> Frank
>
> -----Original Message-----
> From: Zuleger, Holger, VF-DE [mailto:holger.zuleger at vodafone.com]
> Sent: Wednesday, November 03, 2010 12:26 PM
> To: frnkblk at iname.com; Stephane Bortzmeyer
> Cc: dns-operations at dns-oarc.net
> Subject: RE: [dns-operations] resolv.conf and resolving IPv6-only
> domains/NSes
>
>> Stephane:
>>
>> You are correct, whether my tool requests resolution via IPv4
>> or IPv6 for
>> onlyv6.com shouldn't matter as long as the queried resolver has IPv6
>> connectivity.
>>
>> So what I've learned is that if I want to resolve query
>> v6-only domains,
>> such as onlyv6.com, I had better make sure that the first DNS
>> server in my
>> resolv.conf has IPv6 connectivity.  Even better, make sure
>> all of them do.
> No.
> If your client is ipv6-only then it doesn't make sense to
> use an IPv4 resolver.
> Additionally each of the ipv6 resolvers in your list *must* be
> dual-stack, or need the help of an dual stack resolver (e.g. via
> BINDs dual-stack-server command).
>
> If the domain is a v6-only domain, at least the authoritative name
> servers of
> the domain have to be dual stack.
>
> Regards
>   Holger
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list