Hi, > I already start the daemon with the -4 option. It should never user IPv6.
Indeed. `query-source-v6 none;` would avoid IPv6 upstream queries while still listening on IPv6. I guess you could use it so you wouldn't need to override the entry point. (Also, the ACL `FE80::` suggested you would except the resolver to listen to IPv6 locally.) Back to the problem, you can give a try to `dual-stack-servers`: https://bind9.readthedocs.io/en/v9.20.18/reference.html#namedconf-statement-dual-stack-servers AFAIK iff the resolver can't find any IPv4 server to contact, it will forward the query to an alternative server supporting both IPv4 and IPv6. > So my working theory is, for some reason, bind saves the shorter TTL for the > A-Record, and the longer for the AAAA. Once the A-Record expires, it tries to > resolve the domain via the AAAA-NS, but it can't, as it does not have an IPv6 > IP. And so it simply fails. BIND9 is (currently) child-centric and (currently) store in the same cache the RRset from delegations and authoritative responses, so it is possible it resolved/got an authoritative response for `ns2.haufegroup.com.` at some point after having cached the delegation and then overridden it with the authoritative response. That would explain the RNDC dumps you got. (Logs would help.) Independently of BIND9 current implementation, the delegation should have the same TTL of the authoritative zone. -- Colin Vidal -- [email protected] Internet Systems Consortium -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
