DNS resolver reaction to non-reachable authoritative DNS server
Hello there! I am trying to troubleshoot a case of DNS failure issue with one of Indian Govt's domain (nic.in). I can see that 1 out of 4 authoritative DNS server is IPv6 only. We have quite a few users running IPv4 only setup and hence 1/4 of these DNS servers are non-reachable from the recursor hosted by our clients. How is DNS query expected to respond in such case? Will it give SRVFAIL and terminate immediately (causing DNS resolution failure) OR it will just see one of the auth DNS as non-reachable and next will proceed with either of other three thus slowing down but with no failure? Thanks. -- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
On 03/13/2014 12:35 AM, Anurag Bhatia wrote:
Hello there!
I am trying to troubleshoot a case of DNS failure issue with one of Indian Govt's domain (nic.in). I can see that 1 out of 4 authoritative DNS server is IPv6 only. We have quite a few users running IPv4 only setup and hence 1/4 of these DNS servers are non-reachable from the recursor hosted by our clients.
How is DNS query expected to respond in such case? Will it give SRVFAIL and terminate immediately (causing DNS resolution failure) OR it will just see one of the auth DNS as non-reachable and next will proceed with either of other three thus slowing down but with no failure?
Basically the latter. If your customers are using BIND there is a flag you can supply to named to cause it to operate only in IPv4. That would avoid this problem altogether. hope this helps, Doug
In message <5321EAB8.3010200@dougbarton.us>, Doug Barton writes:
On 03/13/2014 12:35 AM, Anurag Bhatia wrote:
Hello there!
I am trying to troubleshoot a case of DNS failure issue with one of Indian Govt's domain (nic.in). I can see that 1 out of 4 authoritative DNS server is IPv6 only. We have quite a few users running IPv4 only setup and hence 1/4 of these DNS servers are non-reachable from the recursor hosted by our clients.
How is DNS query expected to respond in such case? Will it give SRVFAIL and terminate immediately (causing DNS resolution failure) OR it will just see one of the auth DNS as non-reachable and next will proceed with either of other three thus slowing down but with no failure?
Basically the latter.
If your customers are using BIND there is a flag you can supply to named to cause it to operate only in IPv4. That would avoid this problem altogether.
And is basically not needed as the IP stack (with the exception of Solaris) informs named when there isn't a route to the destination and named moves onto the next address to try. As to the original question. NS records without matching addresses records happen pretty regularly. All nameservers deal with them. Mark
hope this helps,
Doug -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 3/13/2014 5:23 PM, Mark Andrews wrote:
If your customers are using BIND there is a flag you can supply to named
to cause it to operate only in IPv4. That would avoid this problem altogether.
And is basically not needed as the IP stack (with the exception of Solaris) informs named when there isn't a route to the destination and named moves onto the next address to try.
Sure, but by using the flag you skip that step, and the accompanying error message in the logs. The fact that this issue has risen to the level of "annoyance" rather than just "oddity" as it used to be is actually a good thing. It's a sign that more and more sites are deploying IPv6 for critical infrastructure. Doug
Got it! Thankyou very much for help. Have a good weekend ahead. On Fri, Mar 14, 2014 at 6:59 AM, Doug Barton <dougb@dougbarton.us> wrote:
On 3/13/2014 5:23 PM, Mark Andrews wrote:
If your customers are using BIND there is a flag you can supply to named
to cause it to operate only in IPv4. That would avoid this problem altogether.
And is basically not needed as the IP stack (with the exception of Solaris) informs named when there isn't a route to the destination and named moves onto the next address to try.
Sure, but by using the flag you skip that step, and the accompanying error message in the logs.
The fact that this issue has risen to the level of "annoyance" rather than just "oddity" as it used to be is actually a good thing. It's a sign that more and more sites are deploying IPv6 for critical infrastructure.
Doug
-- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia> Skype: anuragbhatia.com PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
participants (3)
-
Anurag Bhatia
-
Doug Barton
-
Mark Andrews