Broken DNS client resolvers (Was: Dealing with filtered 6to4 clients)
Rémi Denis-Courmont
remi at remlab.net
Tue Oct 27 17:37:10 CET 2009
On Tue, 27 Oct 2009 17:02:23 +0100, Jeroen Massar <jeroen at unfix.org> wrote:
> Yes, I can see that the ADDRCONF flag can be useful for this, as it
> avoids querying AAAA records in the first place, but that should not be
> done on a per-application level. That is a decision to be made by the
> resolver library which should be smart about that, link-local addresses
> can't be stuffed in a AAAA address anyway and if you don't have
> connectivity then there is not much to be done.
I guess glibc does standard lawyering. There are cases where an application
wantd to query AAAA regardless of the system configuration. Those cases are
corner cases. glibc follows the standard to the letter and resolves
everything by default.
And so, glibc adds a (non-standard) flag if you want to use getaddrinfo for
policy. In other words, even though this is the most common case, it is not
the default. I am not going to get into a fight with Ulrich Drepper on
this, as it would most likely get us nowhere.
Ubuntu can force AI_ADDRCONFIG into their glibc if they see fit.
> If you have IPv6 enabled in the kernel, which is the default, and
> somebody runs a "rogue" RA it gets enabled already (then you generally
> also get nice broken routes in addition ;)
Well then you are really screwed anyway, just like if someone runs a rogue
DHCPv4 at the moment you boot your computer.
> There are enough people who also magically tend to configure all kinds
> of things wrong or install magic tools they don't need, especially when
> they hear that "IPv6 will give them access to free warez". uTorrent is
> an example of that, which enables Teredo, but there are also other tools
> which do so.
AFAIK, that case is worked around in glibc 2.10:
* DNS IPv4-IPv6 parallel lookup now deals better with broken DNS
servers (the case, e.g., for some people using the built-in DNS
server in ADSL modems/routers). There is a once-per-process timeout
in case of a broken server. To avoid it, users can run nscd or put
'options single-request' in /etc/resolv.conf.
Implemented by Ulrich Drepper.
...which builds on top of an earlier glibc 2.9 enhancement:
* Unified lookup for getaddrinfo: IPv4 and IPv6 addresses are now looked
up at the same time. Implemented by Ulrich Drepper.
>> Of course, if they did, then they'd have to
>> provide resolver hacks such as those done by Microsoft. _Then_ you can
>> think of running the A and AAA queries in parallel, and timing out the
>> AAAA query quickly after the A response.
>
> Which is what current glibc's (2.9 series) already do in most cases, but
> these also have some smarter algorithms to determine when and when not
> to do IPv6 queries.
2.9 is not current - anymore.
Anyway, I fail to see what else can be done. There is no way to determine
that AAAA are broken without trying. Worse, this hack might cause false
positives.
>> But it is currently a non-issue on
>> _Linux_, which is the system the bug refers to.
>
> If it is such a "non-issue", why are there so many people complaining
> about it and then disabling IPv6? While if they specify eg the opendns
> nameservers in their resolv.conf everything works fine!? :)
Automatically brought up 6to4 and Teredo are non-issues because there are
NO SUCH THINGS on Linux. The point is, if glibc stops querying AAAA
pointlessly, then the issue is solved. There is no need to hacks for
automatic tunneling on a platform that does not have automatic tunneling.
--
Rémi Denis-Courmont
More information about the ipv6-ops
mailing list