[dns-operations] resolv.conf and resolving IPv6-only domains/NSes

Mark Andrews marka at isc.org
Sat Nov 6 02:10:04 UTC 2010 

In message <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh
1IQAAAATbSgAABAAAABr7NIpg8QfQJFApNbruxngAQAAAAA=@iname.com>, "Frank Bulk - iNam
e.com" writes:
> Thanks, that option works.
> 
> Why is the default state "fail"?  Perhaps the default state could be
> "nofail"?
> 
> Frank

dig is a debugging tool.

> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org] 
> Sent: Thursday, November 04, 2010 4:09 PM
> To: frnkblk at iname.com
> Cc: 'Matt Thompson'; dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] resolv.conf and resolving IPv6-only
> domains/NSes
> 
> 
> In message
> <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh
> 1IQAAAATbSgAABAAAADoQfg1GbH6T5dIxe9Zzj5wAQAAAAA=@iname.com>, "Frank Bulk"
> write
> s:
> > Matt:
> > 
> > Thanks for testing this so extensively.  I will bring this to the
> attention
> > of ISC.
> > 
> > Frank
> 
>     dig +[no]fail
>  
> > -----Original Message-----
> > From: dns-operations-bounces at lists.dns-oarc.net
> > [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Matt
> > Thompson
> > Sent: Wednesday, November 03, 2010 10:28 PM
> > To: dns-operations at lists.dns-oarc.net
> > Subject: Re: [dns-operations] resolv.conf and resolving IPv6-only
> > domains/NSes
> > 
> > On 10-11-03 10:16 PM, Frank Bulk wrote:
> > > Holger:
> > >
> > > The Debian box is not IPv6 only.
> > >
> > > I had presumed (incorrectly) that I could list a bunch of DNS servers
> > (IPv4
> > > and IPv6-only) in resolv.conf and the IP stack would handle SERVFAIL
> > > gracefully and move on to the next one.  Apparently that's not the case,
> > > which is why your recommendation that all the servers listed in
> > resolv.conf
> > > be dual-stack is a good idea.
> > Hi Frank,
> > 
> > It seems that glibc getaddrinfo() does fail to the second DNS server if 
> > the first one is not dual stack in your resolv.conf. It's up to glibc or 
> > other stub resolver code to handle SERVFAIL. The IP stack itself has no 
> > knowledge of DNS.
> > 
> > My resolv.conf has:
> > nameserver 4.2.2.5                # Not dual stack
> > nameserver 192.168.12.1        # Dual stack
> > 
> > This test program demonstrates that it does fail over to the dual stack 
> > nameserver:
> > 
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <sys/types.h>
> > #include <sys/socket.h>
> > #include <netdb.h>
> > #include <string.h>
> > 
> > const char *query = "onlyv6.com";
> > 
> > int main(int argc, char **argv)
> > {
> >      struct addrinfo hints;
> >      struct addrinfo *result;
> >      char addrbuf[INET6_ADDRSTRLEN];
> > 
> >      int ret;
> > 
> >      memset(&hints, 0, sizeof(struct addrinfo));
> >      hints.ai_family = AF_UNSPEC; /** IPv4 or IPv6 */
> >      hints.ai_socktype = SOCK_DGRAM;
> > 
> >      ret = getaddrinfo(query, NULL, &hints, &result);
> >      if(ret != 0)
> >      {
> >          fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
> >          return(EXIT_FAILURE);
> >      }
> > 
> >      while(result)
> >      {
> > 
> >          inet_ntop(result->ai_family, result->ai_addr->sa_data + 2, 
> > addrbuf, sizeof(addrbuf));
> >          printf("Result: %s\n", addrbuf);
> >          result = result->ai_next;
> >      }
> >      return(EXIT_SUCCESS);
> > }
> > 
> > Here's the output from the program:
> > 
> > matt at desk:~$ ./testv6
> > Result: ::2607:f118:8c0:800:0:0
> > 
> > 
> > Dig implements its own stub resolver and doesn't failover on SERVFAIL:
> > 
> > matt at desk:~$ dig onlyv6.com
> > 
> > ; <<>> DiG 9.7.1-P2 <<>> onlyv6.com
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41092
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;onlyv6.com.            IN    A
> > 
> > ;; Query time: 56 msec
> > ;; SERVER: 4.2.2.5#53(4.2.2.5)
> > ;; WHEN: Wed Nov  3 23:09:17 2010
> > ;; MSG SIZE  rcvd: 28
> > 
> > nslookup does failover:
> > 
> > matt at desk:~$ nslookup -type=AAAA onlyv6.com
> > ;; Got SERVFAIL reply from 4.2.2.5, trying next server
> > Server:        192.168.12.1
> > Address:    192.168.12.1#53
> > 
> > Non-authoritative answer:
> > onlyv6.com    has AAAA address 2607:f118:8c0:800::64
> > 
> > 
> > Cheers,
> > Matt Thompson
> > HexWave Software Systems
> > 
> > > Frank
> > >
> > > -----Original Message-----
> > > From: Zuleger, Holger, VF-DE [mailto:holger.zuleger at vodafone.com]
> > > Sent: Wednesday, November 03, 2010 12:26 PM
> > > To: frnkblk at iname.com; Stephane Bortzmeyer
> > > Cc: dns-operations at dns-oarc.net
> > > Subject: RE: [dns-operations] resolv.conf and resolving IPv6-only
> > > domains/NSes
> > >
> > >> Stephane:
> > >>
> > >> You are correct, whether my tool requests resolution via IPv4
> > >> or IPv6 for
> > >> onlyv6.com shouldn't matter as long as the queried resolver has IPv6
> > >> connectivity.
> > >>
> > >> So what I've learned is that if I want to resolve query
> > >> v6-only domains,
> > >> such as onlyv6.com, I had better make sure that the first DNS
> > >> server in my
> > >> resolv.conf has IPv6 connectivity.  Even better, make sure
> > >> all of them do.
> > > No.
> > > If your client is ipv6-only then it doesn't make sense to
> > > use an IPv4 resolver.
> > > Additionally each of the ipv6 resolvers in your list *must* be
> > > dual-stack, or need the help of an dual stack resolver (e.g. via
> > > BINDs dual-stack-server command).
> > >
> > > If the domain is a v6-only domain, at least the authoritative name
> > > servers of
> > > the domain have to be dual stack.
> > >
> > > Regards
> > >   Holger
> > >
> > > _______________________________________________
> > > dns-operations mailing list
> > > dns-operations at lists.dns-oarc.net
> > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > 
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list