On Wed, Jun 30, 2021 at 11:04:23PM +0200, Magnus Hagander wrote:
> On Wed, Jun 30, 2021 at 9:20 PM Bruce Momjian <bruce@momjian.us> wrote:
> > Oh, I used the -4 option and my failures stopped. Glad this thread was
> > helpful for you too. I never expected IPv6 to lead to failures, just
> > possible delays, but I have now learned, at least with DNS, it can cause
>
> It shouldn't.
>
> I regularly work from networks with no native ipv6 and these things
> work perfectly fine.
Yes, I am confused, but as you can see from the logs I posted, bind is
occasionally failing.
> Do you have an actual public ipv6 address on your system, and it just
> doesn't work? Like maybe a tunnel you set up at some point that
> doesn't work? If not it seems very strange that it should even try to
> get out over ipv6.
I have no IPv6 IP address and never use tunnels. I just did a grep for
"ipv6" in /etc and found only default commented-out lines in
sysctl.conf. Where else would I look?
> > failures too. I will also add the bind options mentioned to disable
> > dnssec and aaaa records.
>
> You should *not* disable dnssec. It's an important security feature.
> Filtering them in the DNS response sounds more like trying to apply a
> crude workaround.
So just using "filter-aaaa-on-v4 break-dnssec" and not using
"dnssec-enable no" is what you recommend?
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.