On Thu, Mar 06, 2014 at 10:28:22AM +0100, Hannes Frederic Sowa wrote: > On Thu, Mar 06, 2014 at 11:00:28AM +0200, Yannis Nikolopoulos wrote: > > we've encountered a weird problem on our dual-stack (anycast) resolvers > > and I'm wondering if anyone else has experienced anything similar. > > Basically, we're getting many SERVFAIL responses for domains not in > > cache. The weird part: if the domain does not exist in the cache, a > > SERVFAIL response is produced (not all of the times) without the > > resolver querying the auth NS (no outgoing communication is attempted). > > If you really thing this might be a kernel issue, please record the number of > failed syscalls during the time this problem exists: perf script > failed-syscalls-by-pid -p or strace -c. > > Further please record network packets drop in the stack via perf script > net_dropmonitor. > > This might give a hint.
Regarding anycast addresses you can check cat /proc/net/anycast6 if they get instantiated (this only happens if you have forwarding enabled for the subnet defined addresses) or if you have a program which does IPV6_JOIN_ANYCAST setsockopt on a socket. Old kernels don't allow using anycast addresses as source address. This was recently changed in the linux kernel. But I don't suspect this to be the problem. Bye, Hannes
