[nycbug-talk] [Miles Nordin] IPv6 problems with your DNS servers

Miles Nordin carton at Ivy.NET
Wed Dec 3 10:09:45 EST 2008


>>>>> "sk" == Sujit Karataparambil <sjt.kar at gmail.com> writes:

    sk> This is an extract of how the IPV6 Routing is being Carried
    sk> Out.  http://www.isi.edu/~bmanning/v6DNS.html

1. DNS != routing

2. Those instructions are out-of-date and wrong.  For one thing,
   ip6.int is not used any more.  It's ip6.arpa.  There may be other
   problems.

   Instead, use the regular BIND documentation, which is the BIND
   Administrator's Reference Manual which is a bunch of .html files
   installed along with BIND.  On my system it's in
   /usr/share/doc/html/bind/Bv9ARM.html.

3. try 'dig web.ivy.net aaaa'.  I have IPv6 DNS working just fine to
   serve my zones, including asking and answering queries over v6.  

08:37:03.450455 IP6 2610:1f8:dc:c0::1.65139 > 2001:4200:1010::1.53:  60817 [1au] A? ru.ac.za. (37)
08:37:03.567448 IP6 2610:1f8:dc:c0::1.65139 > 2001:7b8:3:1f:0:2:53:2.53:  48637 [1au][|domain]
08:37:03.678671 IP6 2001:7b8:3:1f:0:2:53:2.53 > 2610:1f8:dc:c0::1.65139:  48637 NXDomain*-[|domain]
08:37:03.778992 IP6 2001:4200:1010::1.53 > 2610:1f8:dc:c0::1.65139:  60817*- 1/5/11 (389)

   This is done already, works, and is not the problem.

    sk> Looks like it is an problem with the IPV6 and IPV4 being
    sk> simulatneously Being used.

Why is this a problem?  How else would IPv6 be used?

    sk> This will require an quad-A DNS Lookup.Supported only on few
    sk> softwares.

yeah, a few softwares like BIND, BSD, Linux, Mac OS X, and Windows,
all for ~1 decade, and except Windows all by default.

Anyway the problem is described in my email:

$ dig www.facebook.com aaaa          <-- hangs for 15 seconds

$ dig anythingelse.com aaaa          <-- returns quickly, even for sites 
                                         running crappy djbware without 
                                         IPv6 support

If I use tcpdump I can see that facebook's crappy load balancers are
simply dropping the AAAA queries with no response, which is why lookup
hangs.  And the idiots have set a 30sec ttl, so it hangs every 30
seconds.

08:14:05.109594 IP 10.100.100.129.65140 > 69.63.176.101.53:  60836 AAAA? www.facebook.com. (34)
08:14:07.111153 IP 10.100.100.129.65140 > 69.63.191.219.53:  15140 AAAA? www.facebook.com. (34)
08:14:11.118032 IP 10.100.100.129.65140 > 69.63.176.101.53:  40338 [1au] AAAA? www.facebook.com. (45)
08:14:13.119844 IP 10.100.100.129.65140 > 69.63.191.219.53:  20169 [1au] AAAA? www.facebook.com. (45)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20081203/4f9325a2/attachment.bin>


More information about the talk mailing list