On 6/7/2019 7:20 AM, Måns Nilsson wrote: > Hi, > > I'm a little uncertain how to discuss this, because it is a > cross-implementation problem, but this problem surely has hit others > here. I hope. > > I have three db servers in my OpenAFS cell. They all have -- for various > reasons -- v4 and v6 addresses and corresponding DNS records. When I'm > trying to use the Auristor-supplied OSX client "aklog" implementation to > get tokens, the client tries to connect to the IPv6 addresses of the db > servers. Most likely because it is an Auristor client and it is expecting > Auristor db servers. Only after some 10 seconds does the client timeout > and retry over v4, which of course immediately succeeds. > > Is there a fix for this? > > Or: Am I the only one crazy enough to have AAAA records for my db servers?
The AuriStorFS aklog relies upon DNS SRV records to find the list of service endpoints for the protection servers. If the DNS SRV record refers to a name with a AAAA record, that entry will be trusted as valid. Create separate IPv4 A records to refer to your hosts and list those in the DNS SRV records instead of the hostname that includes both A and AAAA records. Note that SRV records reference A and AAAA records and not CNAME records. Many sites have afsdb1.cell afsdb2.cell afsdb3.cell names in DNS. Only create A records for those names and use them for the DNS SRV records _afs3-vlserver._udp.cell _afs3-prserver._udp.cell ... You wouldn't create SRV records indicating that your cell supports TCP connections _afs3-vlserver._tcp.cell _afs3-prserver._tcp.cell so do not create SRV records that indicate that the service supports IPv6 when it doesn't. The AuriStorFS rx stack will terminate calls within one second if an ICMP6 port unreachable response is received. I wonder if the 10 second delay is due to ICMP6 packets being firewalled. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
