On Wed, Jun 30, 2021 at 04:20:28PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > On Wed, Jun 30, 2021 at 12:53:24PM -0400, Tom Lane wrote:
> >> ... I'll try the hack mentioned in the serverfault thread.
>
> > I will also add the bind options mentioned to disable
> > dnssec and aaaa records.
>
> I found better practice described at
> https://kb.isc.org/docs/aa-00576
> to wit you can set "filter-aaaa-on-v4" to "break-dnssec" to just
> adjust what is returned to clients, rather than disabling DNSSEC
> globally. Also, if you use views to configure your bind setup,
> it works to make that an option in the view that serves your
> local clients (the ones you don't want to see IPv6 addys).
Oh, I am now trying just the "filter-aaaa-on-v4 break-dnssec" option.
Not sure why this is so complicated --- there must be many people
without IPv6 who use bind.
> I have that installed locally now, but it'll take awhile to
> determine whether it improves matters.
OK, I will keep an eye on my bind debug logs to see if I see failures.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.