Broken DNS client resolvers (Was: Dealing with filtered 6to4 clients)
Jeroen Massar
jeroen at unfix.org
Tue Oct 27 17:02:23 CET 2009
Rémi Denis-Courmont wrote:
> On Tue, 27 Oct 2009 15:29:42 +0100, Jeroen Massar <jeroen at unfix.org> wrote:
>>> Whether it's a glibc or a many-applications bug is debatable.
>> *WHICH IS NOT THE ISSUE*
>
> It is the issue.
I would say, explain then to the Ubuntu folks how to properly resolve
it, I am sure they will love you for it. (And it would save again some
people on blocking IPv6 on their boxes, then again, their box, their
problem)
Yes, I can see that the ADDRCONF flag can be useful for this, as it
avoids querying AAAA records in the first place, but that should not be
done on a per-application level. That is a decision to be made by the
resolver library which should be smart about that, link-local addresses
can't be stuffed in a AAAA address anyway and if you don't have
connectivity then there is not much to be done.
> (...)
>> In other words, 6to4, Teredo etc and you are bust.
>> Also note that those are the defaults on Windows Vista and Seven...
>
> To my knowledge, _none_ of the common Linux distros enable 6to4 or Teredo
> automatically by default.
If you have IPv6 enabled in the kernel, which is the default, and
somebody runs a "rogue" RA it gets enabled already (then you generally
also get nice broken routes in addition ;)
There are enough people who also magically tend to configure all kinds
of things wrong or install magic tools they don't need, especially when
they hear that "IPv6 will give them access to free warez". uTorrent is
an example of that, which enables Teredo, but there are also other tools
which do so.
> Of course, if they did, then they'd have to
> provide resolver hacks such as those done by Microsoft. _Then_ you can
> think of running the A and AAA queries in parallel, and timing out the AAAA
> query quickly after the A response.
Which is what current glibc's (2.9 series) already do in most cases, but
these also have some smarter algorithms to determine when and when not
to do IPv6 queries.
An application should not be forced to one or the other though, maybe
the user wants to connect to that server on the link-local network, that
was the whole point of the dentist-problem. As such, for instance
Firefox should be able to do that too. (with for instance mDNS for
resolving in that case, and yep, again something annoying called avahi
is a semi-default, good that there are ways to block packages from ever
installing)
> But it is currently a non-issue on
> _Linux_, which is the system the bug refers to.
If it is such a "non-issue", why are there so many people complaining
about it and then disabling IPv6? While if they specify eg the opendns
nameservers in their resolv.conf everything works fine!? :)
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20091027/a1495121/attachment.bin
More information about the ipv6-ops
mailing list