Hi unbound developers and users,
c.root-servers.net has an IPv6 address now. I've attached a patch for
unbound. It should apply to version 1.4.22 and trunk with "patch -p1".
Regards,
Anand
(attachments)
unbound-croot-ipv6.patch (646 Bytes)
Hi Anand,
There are still peering issues with that particular operator over IPv6. At least from where I try:
stephan@pi:~$ dig -6 @a.root-servers.net . SOA +short
a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400
stephan@pi:~$ dig -6 @c.root-servers.net . SOA +short
; <<>> DiG 9.9.2-rpz+rl.094.21-P2 <<>> -6 @c.root-servers.net . SOA +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
stephan@pi:~$ dig -4 @c.root-servers.net . SOA +short
a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400
So before you apply the patch or change your roots-hints file, please check that you have v6 connectivity.
It is unfortunate that the v6 address of c-root is not reachable everywhere on the internet. Maybe you or somebody else can check connectivity via the atlas probes?
/Stephan
Hi Stephan,
There are still peering issues with that particular operator over
IPv6. At least from where I try:stephan@pi:~$ dig -6 @a.root-servers.net . SOA +short
a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400stephan@pi:~$ dig -6 @c.root-servers.net . SOA +short
; <<>> DiG 9.9.2-rpz+rl.094.21-P2 <<>> -6 @c.root-servers.net . SOA +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reachedstephan@pi:~$ dig -4 @c.root-servers.net . SOA +short
a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400So before you apply the patch or change your roots-hints file,
please check that you have v6 connectivity.
Well, not applying the patch won't prevent your cache from trying
C-root's IPv6 address, because a priming query will give you the IPv6
address. The patch just makes unbound's internal hints consistent with
the published root hints and the priming query.
It is unfortunate that the v6 address of c-root is not reachable
everywhere on the internet. Maybe you or somebody else can check
connectivity via the atlas probes?
We'll add C-root's IPv6 address to DNSMON soon, and that should reveal
routing problems. However, I will also notify my contacts at Cogent
(C-root operator) about this issue. Thanks for alerting us to it.
Regards,
Anand
Hi Johan,
>> So before you apply the patch or change your roots-hints file,
please
>> check that you have v6 connectivity.
>
> Well, not applying the patch won't prevent your cache from trying
> C-root's IPv6 address, because a priming query will give you the IPv6
> address. The patch just makes unbound's internal hints consistent
with
> the published root hints and the priming query.
>
>> It is unfortunate that the v6 address of c-root is not reachable
>> everywhere on the internet. Maybe you or somebody else can check
>> connectivity via the atlas probes?Most v6 addresses are not reachable everywhere on the Internet. Most
ISPs are still not providing v6 connectivity over DSL, just to give one
example.
Well if you don't have a v6 interface, then unbound or any other application will not try to connect over IPv6. I have v6 connectivity but no connectivity to c-root so somebody is wasting 500 ms of my time every now and then when unbound tries to connect to c-root. A mini version of the happy-eyeball http issue if you wish...
Hi Stephan,
> There are still peering issues with that particular operator over
> IPv6. At least from where I try:
>
> stephan@pi:~$ dig -6 @a.root-servers.net . SOA +short
> a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400
>
> stephan@pi:~$ dig -6 @c.root-servers.net . SOA +short
> ; <<>> DiG 9.9.2-rpz+rl.094.21-P2 <<>> -6 @c.root-servers.net . SOA +short
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> stephan@pi:~$ dig -4 @c.root-servers.net . SOA +short
> a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900 604800 86400
>
> So before you apply the patch or change your roots-hints file,
> please check that you have v6 connectivity.Well, not applying the patch won't prevent your cache from trying
C-root's IPv6 address, because a priming query will give you the IPv6
address. The patch just makes unbound's internal hints consistent with
the published root hints and the priming query.> It is unfortunate that the v6 address of c-root is not reachable
> everywhere on the internet. Maybe you or somebody else can check
> connectivity via the atlas probes?We'll add C-root's IPv6 address to DNSMON soon, and that should reveal
routing problems. However, I will also notify my contacts at Cogent
(C-root operator) about this issue. Thanks for alerting us to it.
First things first, Cogent has a public looking glass:
http://www.cogentco.com/en/network/looking-glass
In all honesty, my first thought would be to doubt that they'll fix the issue.
Because certain peering issues Cogent has seem to be business decisions, but I'm probably cynical. 
Then again, the C-root IPv6 address is announced as a /48: 2001:500:2::/48
And /48 filtering isn't uncommon either.
Anyway both issues still remain on the IPv6 Internet to this day.
Hi Anand,
Hi Stephan,
> There are still peering issues with that particular operator over
> IPv6. At least from where I try:
>
> stephan@pi:~$ dig -6 @a.root-servers.net . SOA +short
> a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900
604800
> 86400
>
> stephan@pi:~$ dig -6 @c.root-servers.net . SOA +short ; <<>> DiG
> 9.9.2-rpz+rl.094.21-P2 <<>> -6 @c.root-servers.net . SOA +short ; (1
> server found) ;; global options: +cmd ;; connection timed out; no
> servers could be reached
>
> stephan@pi:~$ dig -4 @c.root-servers.net . SOA +short
> a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900
604800
> 86400
>
> So before you apply the patch or change your roots-hints file,
please
> check that you have v6 connectivity.
Well, not applying the patch won't prevent your cache from trying C-
root's IPv6 address, because a priming query will give you the IPv6
address. The patch just makes unbound's internal hints consistent with
the published root hints and the priming query.
Good point, I guess the right thing to do is to add
do-not-query-address: 2001:500:2::c
to unbound's configuration file until the issues are resolved.
> It is unfortunate that the v6 address of c-root is not reachable
> everywhere on the internet. Maybe you or somebody else can check
> connectivity via the atlas probes?We'll add C-root's IPv6 address to DNSMON soon, and that should reveal
routing problems.
Let me know your findings. I'm very interested in knowing that critical
infrastructure such as root servers are globally reachable.
However, I will also notify my contacts at Cogent (C-
root operator) about this issue. Thanks for alerting us to it.
Bake them another cake,
http://tech.slashdot.org/story/09/10/23/1715235/peering-disputes-migrate
-to-ipv6
/S
I very much doubt that. There are thirteen A and now ten AAAA RRs
for root name servers. 2001:500:2::c works well for quite a couple of
people and in those cases where it doesn't, unbound will "route around".
No manual intervention needed.
-Peter
Hi Peter,
> Good point, I guess the right thing to do is to add
> do-not-query-address: 2001:500:2::c
> to unbound's configuration file until the issues are resolved.I very much doubt that. There are thirteen A and now ten AAAA RRs
for root name servers. 2001:500:2::c works well for quite a couple
of
people and in those cases where it doesn't, unbound will "route
around".
No manual intervention needed.
Not needed I agree. But there will be queries every now and then that
times out, wasting my and a lot of other peoples time.
Root-zone operators have a certain obligation to provide good
connectivity to their servers. We can't have another lower standard on
IPv6, then what is the point of migrating to IPv6?
To use an address for a root-server that is not accessible for Hurricane
Electric users is not acceptable. It is not production ready, this
record should not have been published in the root zone.
/S
I just queried all IPv6-enabled root name servers from 51 RIPE Atlas
anchors (it will take a few days to update DNSMON). The numbers below
show how many probes successfully got responses:
A 51
C 48
D 51
F 51
H 51
I 49
J 51
K 51
L 47
M 50
As you can see, it's not just C-root that's not widely reachable. Some
other root name servers also show some reachability issues. Have you
tested all the other root name servers from your location? If they are
unreachable, will you also blacklist them?
However, this discussion is diverging from unbound to general roor name
server reachability, so bringing this back to unbound, I still think its
hints should be kept up to date. And I know that unbound will remember
unreachable name servers, and make fewer queries towards them. I don't
think the occasional timeout is worth worrying about.
Regards,
Anand Buddhdev
>> Well, not applying the patch won't prevent your cache from trying C-
>> root's IPv6 address, because a priming query will give you the IPv6
>> address. The patch just makes unbound's internal hints consistent with
>> the published root hints and the priming query.
>
> Good point, I guess the right thing to do is to add
> do-not-query-address: 2001:500:2::c
> to unbound's configuration file until the issues are resolved.I just queried all IPv6-enabled root name servers from 51 RIPE Atlas
anchors (it will take a few days to update DNSMON). The numbers below
show how many probes successfully got responses:A 51
C 48
D 51
F 51
H 51
I 49
J 51
K 51
L 47
M 50As you can see, it's not just C-root that's not widely reachable. Some
other root name servers also show some reachability issues. Have you
tested all the other root name servers from your location? If they are
unreachable, will you also blacklist them?
Those numbers look really low to me.
Did you query that from only IPv6-enabled RIPE Atlas anchors ?
Or is there are large number in that pool that don't have any IPv6 connectifity ?
Hi Leen,
Those numbers look really low to me.
Low compared to what?
Did you query that from only IPv6-enabled RIPE Atlas anchors ?
Or is there are large number in that pool that don't have any IPv6 connectifity ?
All RIPE Atlas anchors have IPv6 connectivity. In fact, it is a
requirement for hosting an anchor. Note that these anchors are distinct
from Atlas PROBES, which are the small devices hosted by people in their
homes. These may not have IPv6.
Please don't extend Atlas anchor discussion here, because this is the
unbound list, and we have digressed a lot already.
Regards,
Anand
I just queried all IPv6-enabled root name servers from 51 RIPE Atlas
> anchors (it will take a few days to update DNSMON). The numbers below
> show how many probes successfully got responses:
>
> A 51
> C 48
> D 51
> F 51
> H 51
> I 49
> J 51
> K 51
> L 47
> M 50
>
> As you can see, it's not just C-root that's not widely reachable. Some
> other root name servers also show some reachability issues. Have you
> tested all the other root name servers from your location? If they are
> unreachable, will you also blacklist them?
>
Those numbers look really low to me.
Did you query that from only IPv6-enabled RIPE Atlas anchors ?
Or is there are large number in that pool that don't have any
IPv6 connectifity ?
Read again:
> I just queried all IPv6-enabled root name servers from 51 RIPE Atlas
> anchors ...
So only the 51 anchors where used, not the flock of probes.
jaap