IPV6 forwarders problem
Baccari, Lou
I'm try to setup a linux bind server running ipv6 and ipv4 service. It
appears that whenever I disable, 'listen-on-v6 { any; };', my forwarders
options work just fine and I'm able to resolve for domain other them my
own. Once , 'listen-on-v6 { any; };', is re-enabled I can no longer
resolve for other domain. =20
I even tried to force query onto the ipv4 address but that didn't help.
Any ideas???
OS: Mandrake V10
Bind: Bind-9.2.3-4mdk
=3D=3D=3D=3D named.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
// generated by named-bootconf.pl
options {
directory "/var/named";
tcp-clients 1000;
recursive-clients 10000;
allow-recursion {10/8;};
query-source address 10.10.7.249 port 53;
allow-transfer { ::ffff:10.10.0.3; 10.10.0.3;
::ffff:10.10.0.1; 10.10.0.1;
::ffff:10.10.1.23; 10.10.1.23; };
forwarders { ::ffff:10.10.0.1; ::ffff:10.10.0.3; };
// forwarders { 10.10.0.1; 10.10.0.3; };
listen-on-v6 { any; };
match-mapped-addresses yes;
forward first;
pid-file "/var/run/named/named.pid";
};
JINMEI Tatuya / 神明達哉
>>>>> "Baccari, Lou" <lou.b...@hp.com> said:
> I'm try to setup a linux bind server running ipv6 and ipv4 service. It
> appears that whenever I disable, 'listen-on-v6 { any; };', my forwarders
> options work just fine and I'm able to resolve for domain other them my
> own. Once , 'listen-on-v6 { any; };', is re-enabled I can no longer
> resolve for other domain. =20
> I even tried to force query onto the ipv4 address but that didn't help.
> Any ideas???
First of all, named never expects to have IPv4-mapped IPv6 addresses
(like ::ffff:10.10.0.1) appear in named.conf. Even though it happens
to work as the operator expects, that's not an intended behavior.
So, please rewrite the followings
> options {
> directory "/var/named";
> tcp-clients 1000;
> recursive-clients 10000;
> allow-recursion {10/8;};
> query-source address 10.10.7.249 port 53;
> allow-transfer { ::ffff:10.10.0.3; 10.10.0.3;
> ::ffff:10.10.0.1; 10.10.0.1;
> ::ffff:10.10.1.23; 10.10.1.23; };
> forwarders { ::ffff:10.10.0.1; ::ffff:10.10.0.3; };
> // forwarders { 10.10.0.1; 10.10.0.3; };
> listen-on-v6 { any; };
> match-mapped-addresses yes;
> forward first;
> pid-file "/var/run/named/named.pid";
> };
to
options {
directory "/var/named";
tcp-clients 1000;
recursive-clients 10000;
allow-recursion {10/8;};
query-source address 10.10.7.249 port 53;
allow-transfer { 10.10.0.3;
10.10.0.1;
10.10.1.23; };
forwarders { 10.10.0.1; 10.10.0.3; };
listen-on-v6 { any; };
match-mapped-addresses yes;
forward first;
pid-file "/var/run/named/named.pid";
};
then try it again. (I guess you've already tried that without
success, but it's not clear from the original report.)
Also, the stderr output when you invoke named with the -g command line
option might help.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jin...@isl.rdc.toshiba.co.jp
JINMEI Tatuya / 神明達哉
>>>>> "Baccari, Lou" <lou.b...@hp.com> said:
> Thanks for your suggestion and I have tried your recommendation as well
> as a combination of differnet ipv4 addresses with no luck.
> I've also tried pointing the forwarders to an true ipv6 dns server and
> my server still does not resolve. I'm only able to resolve if I disable
> 'liston-on-v6'.
> Any other suggestions?
As I said in the previous message, please try to run named with the -g
option. Then it will provide some initial log messages to stderr like
this:
% ./named -c named.conf -g
Jul 01 21:19:17.344 starting BIND 9.2.4rc4 -c named.conf -g
Jul 01 21:19:17.349 using 1 CPU
Jul 01 21:19:17.356 loading configuration from '/home/jinmei/src/bind-9.2.4rc4/bin/named/named.conf'
Jul 01 21:19:17.362 listening on IPv6 interfaces, port 9053
Jul 01 21:19:17.367 listening on IPv4 interface fxp0, 203.178.141.201#9053
Jul 01 21:19:17.371 listening on IPv4 interface lo0, 127.0.0.1#9053
...
It *may* have useful information to diagnose the issue.
Baccari, Lou
I've notice the following symptoms. If the issue a dig, dig www.aol.com
@bluehawk, command from an ipv4 client to the ipv6/ipv4 server I'm able
to resolve addresses. Now when I dig from a ipv6 client to the ipv6/ipv4
server I'm not able to resolve.
I check the -g option and I could not see anything useful. Here goes:
Jul 01 08:40:38.084 loading configuration from '/etc/named.conf'
Jul 01 08:40:38.086 listening on IPv6 interfaces, port 53
Jul 01 08:40:38.087 listening on IPv4 interface lo, 127.0.0.1#53
Jul 01 08:40:38.087 binding TCP socket: address in use
Jul 01 08:40:38.088 listening on IPv4 interface eth0, 10.10.7.249#53
Jul 01 08:40:38.088 binding TCP socket: address in use
Jul 01 08:40:38.093 command channel listening on 127.0.0.1#953
Jul 01 08:40:38.093 ignoring config file logging statement due to -g
option
Jul 01 08:40:38.097 dns_master_load:
crl-subnet/ipv6.crl.comp.com.arpa:10: ipv6.crl.comp.com: not at top of
zone
Jul 01 08:40:38.098 zone ipv6.crl.comp.com.arpa/IN: loading master file
crl-subnet/ipv6.crl.comp.com.arpa: not at top of zone
Jul 01 08:40:38.099 dns_master_load:
crl-subnet/ipv6.crl.comp.com.arpa:10: ipv6.crl.comp.com: not at top of
zone
Jul 01 08:40:38.099 zone ipv6.crl.hol.comp.com.arpa/IN: loading master
file crl-subnet/ipv6.crl.comp.com.arpa: not at top of zone
Jul 01 08:40:38.101 zone 0.0.127.in-addr.arpa/IN: loaded serial
2004063001
Jul 01 08:40:38.103 zone ipv6.crl.comp.com/IN: loaded serial 2004063009
Jul 01 08:40:38.105 zone ipv6.crl.hol.comp.com/IN: loaded serial
2004063009
Jul 01 08:40:38.106 zone localhost/IN: loaded serial 2004063000
Jul 01 08:40:38.107 running
Jul 01 08:40:38.107 zone ipv6.crl.comp.com/IN: sending notifies (serial
2004063009)
Jul 01 08:40:38.108 zone ipv6.crl.hol.comp.com/IN: sending notifies
(serial 2004063009)
Jul 01 08:40:38.109 received notify for zone 'ipv6.crl.comp.com'
Jul 01 08:40:38.611 received notify for zone 'ipv6.crl.comp.com'
Jul 01 08:40:38.611 received notify for zone 'ipv6.crl.hol.comp.com'
Jul 01 08:40:38.612 received notify for zone 'ipv6.crl.hol.comp.com'
-----Original Message-----
From: jin...@isl.rdc.toshiba.co.jp [mailto:jin...@isl.rdc.toshiba.co.jp]
Sent: Thursday, July 01, 2004 8:20 AM
To: Baccari, Lou
Cc: comp-protoc...@isc.org
Subject: Re: IPV6 forwarders problem
>>>>> On Thu, 1 Jul 2004 07:46:40 -0400,
>>>>> "Baccari, Lou" <lou.b...@hp.com> said:
> Thanks for your suggestion and I have tried your recommendation as=20
> well as a combination of differnet ipv4 addresses with no luck.
> I've also tried pointing the forwarders to an true ipv6 dns server=20
> and my server still does not resolve. I'm only able to resolve if I=20
Baccari, Lou
I was able fix the problems by changing the following option:
allow-recursion {10/8;};
=09
To=20
allow-recursion {any;};
Now I can resolve addresses from both ipv4 and ipv6 clients.=20
Thanks,
Lou
-----Original Message-----
From: jin...@isl.rdc.toshiba.co.jp [mailto:jin...@isl.rdc.toshiba.co.jp]
Sent: Wednesday, June 30, 2004 11:02 PM
To: Baccari, Lou
Cc: comp-protoc...@isc.org
Subject: Re: IPV6 forwarders problem
>>>>> On Wed, 30 Jun 2004 12:29:54 -0400,
>>>>> "Baccari, Lou" <lou.b...@hp.com> said:
> I'm try to setup a linux bind server running ipv6 and ipv4 service.
> It appears that whenever I disable, 'listen-on-v6 { any; };', my=20
> forwarders options work just fine and I'm able to resolve for domain=20
> other them my own. Once , 'listen-on-v6 { any; };', is re-enabled I=20
> can no longer resolve for other domain. =3D20
to
JINMEI, Tatuya
Baccari, Lou
Thanks for your suggestion and I have tried your recommendation as well
as a combination of differnet ipv4 addresses with no luck. =20
I've also tried pointing the forwarders to an true ipv6 dns server and
my server still does not resolve. I'm only able to resolve if I disable
'liston-on-v6'. =20
Any other suggestions?
Lou.
-----Original Message-----
From: jin...@isl.rdc.toshiba.co.jp [mailto:jin...@isl.rdc.toshiba.co.jp]
Sent: Wednesday, June 30, 2004 11:02 PM
To: Baccari, Lou
Cc: comp-protoc...@isc.org
Subject: Re: IPV6 forwarders problem
>>>>> On Wed, 30 Jun 2004 12:29:54 -0400,
>>>>> "Baccari, Lou" <lou.b...@hp.com> said:
> I'm try to setup a linux bind server running ipv6 and ipv4 service. =20
> It appears that whenever I disable, 'listen-on-v6 { any; };', my=20
> forwarders options work just fine and I'm able to resolve for domain=20
> other them my own. Once , 'listen-on-v6 { any; };', is re-enabled I=20
> can no longer resolve for other domain. =3D20
> I even tried to force query onto the ipv4 address but that didn't=20
Mark Andrews
>
> Thanks for your suggestion and I have tried your recommendation as well
> as a combination of differnet ipv4 addresses with no luck. =20
>
> I've also tried pointing the forwarders to an true ipv6 dns server and
> my server still does not resolve. I'm only able to resolve if I disable
> 'liston-on-v6'. =20
>
> Any other suggestions?
You have two choices. Change the config or update your
kernel and recompile.
Change "query-source address 10.10.7.249 port 53;" to
"query-source address 10.10.7.249 port <some unused port>;"
or "query-source address 10.10.7.249" and adjust your
firewall to match. The later can be used on stateful
firewalls.
"port 53" is used to get answers through the same hole in
the firewall that queries come through.
The problem is that you are running an old broken kernel
which does not deliver packets to the correct sockets.
Update your kernel to one that supports IPV6_V6ONLY then
recompile named to take advantage of it.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org