[dns-operations] resolv.conf and resolving IPv6-only domains/NSes

Mark Andrews marka at isc.org
Thu Nov 4 21:09:02 UTC 2010 

In message <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh
1IQAAAATbSgAABAAAADoQfg1GbH6T5dIxe9Zzj5wAQAAAAA=@iname.com>, "Frank Bulk" write
s:
> Matt:
> 
> Thanks for testing this so extensively.  I will bring this to the attention
> of ISC.
> 
> Frank

	dig +[no]fail
 
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net
> [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Matt
> Thompson
> Sent: Wednesday, November 03, 2010 10:28 PM
> To: dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] resolv.conf and resolving IPv6-only
> domains/NSes
> 
> On 10-11-03 10:16 PM, Frank Bulk wrote:
> > Holger:
> >
> > The Debian box is not IPv6 only.
> >
> > I had presumed (incorrectly) that I could list a bunch of DNS servers
> (IPv4
> > and IPv6-only) in resolv.conf and the IP stack would handle SERVFAIL
> > gracefully and move on to the next one.  Apparently that's not the case,
> > which is why your recommendation that all the servers listed in
> resolv.conf
> > be dual-stack is a good idea.
> Hi Frank,
> 
> It seems that glibc getaddrinfo() does fail to the second DNS server if 
> the first one is not dual stack in your resolv.conf. It's up to glibc or 
> other stub resolver code to handle SERVFAIL. The IP stack itself has no 
> knowledge of DNS.
> 
> My resolv.conf has:
> nameserver 4.2.2.5                # Not dual stack
> nameserver 192.168.12.1        # Dual stack
> 
> This test program demonstrates that it does fail over to the dual stack 
> nameserver:
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netdb.h>
> #include <string.h>
> 
> const char *query = "onlyv6.com";
> 
> int main(int argc, char **argv)
> {
>      struct addrinfo hints;
>      struct addrinfo *result;
>      char addrbuf[INET6_ADDRSTRLEN];
> 
>      int ret;
> 
>      memset(&hints, 0, sizeof(struct addrinfo));
>      hints.ai_family = AF_UNSPEC; /** IPv4 or IPv6 */
>      hints.ai_socktype = SOCK_DGRAM;
> 
>      ret = getaddrinfo(query, NULL, &hints, &result);
>      if(ret != 0)
>      {
>          fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
>          return(EXIT_FAILURE);
>      }
> 
>      while(result)
>      {
> 
>          inet_ntop(result->ai_family, result->ai_addr->sa_data + 2, 
> addrbuf, sizeof(addrbuf));
>          printf("Result: %s\n", addrbuf);
>          result = result->ai_next;
>      }
>      return(EXIT_SUCCESS);
> }
> 
> Here's the output from the program:
> 
> matt at desk:~$ ./testv6
> Result: ::2607:f118:8c0:800:0:0
> 
> 
> Dig implements its own stub resolver and doesn't failover on SERVFAIL:
> 
> matt at desk:~$ dig onlyv6.com
> 
> ; <<>> DiG 9.7.1-P2 <<>> onlyv6.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;onlyv6.com.            IN    A
> 
> ;; Query time: 56 msec
> ;; SERVER: 4.2.2.5#53(4.2.2.5)
> ;; WHEN: Wed Nov  3 23:09:17 2010
> ;; MSG SIZE  rcvd: 28
> 
> nslookup does failover:
> 
> matt at desk:~$ nslookup -type=AAAA onlyv6.com
> ;; Got SERVFAIL reply from 4.2.2.5, trying next server
> Server:        192.168.12.1
> Address:    192.168.12.1#53
> 
> Non-authoritative answer:
> onlyv6.com    has AAAA address 2607:f118:8c0:800::64
> 
> 
> Cheers,
> Matt Thompson
> HexWave Software Systems
> 
> > Frank
> >
> > -----Original Message-----
> > From: Zuleger, Holger, VF-DE [mailto:holger.zuleger at vodafone.com]
> > Sent: Wednesday, November 03, 2010 12:26 PM
> > To: frnkblk at iname.com; Stephane Bortzmeyer
> > Cc: dns-operations at dns-oarc.net
> > Subject: RE: [dns-operations] resolv.conf and resolving IPv6-only
> > domains/NSes
> >
> >> Stephane:
> >>
> >> You are correct, whether my tool requests resolution via IPv4
> >> or IPv6 for
> >> onlyv6.com shouldn't matter as long as the queried resolver has IPv6
> >> connectivity.
> >>
> >> So what I've learned is that if I want to resolve query
> >> v6-only domains,
> >> such as onlyv6.com, I had better make sure that the first DNS
> >> server in my
> >> resolv.conf has IPv6 connectivity.  Even better, make sure
> >> all of them do.
> > No.
> > If your client is ipv6-only then it doesn't make sense to
> > use an IPv4 resolver.
> > Additionally each of the ipv6 resolvers in your list *must* be
> > dual-stack, or need the help of an dual stack resolver (e.g. via
> > BINDs dual-stack-server command).
> >
> > If the domain is a v6-only domain, at least the authoritative name
> > servers of
> > the domain have to be dual stack.
> >
> > Regards
> >   Holger
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list