Dave Hart wrote: > On Mar 5, 10:14, Martin Burnicki <[email protected]> wrote: >> >> The IPv4 address is used only after the IPv6 address has timed out, even >> though (as far as I understand it) the DNS server first returns an IPv4 >> address, then an IPv6 address: >> >> # host support.ntp.org >> support.ntp.org has address 204.152.184.138 >> support.ntp.org has IPv6 address 2001:4f8:0:2::23 > > That's a bit misleading. At the protocol level the queries are often > distinct, asking for A or AAAA records. type=any will return both but > is not typically used in apps.
Yes I know. However the host command at least on some systems queries both A and AAAA records by default, and also other applications (or the resolver library?) seem to do so. > At the app level, if the app looks up > a name indicating both IPv4 and IPv6 addresses are desired, platform > and site policies come into play Agreed. >> I know a possible solution would be to use a IPv6-over-IPv4 tunnel to the >> internet. However, if this has not been set up then access may fail for a >> reason which is not obvious. >> >> AFAIK some browsers, e.g. Firefox, can be configured to prefer either >> IPv4 or IPv6, so this can be solved without a tunnel. > > It sounds like you use a disconnected IPv6 network alongside a > connected RFC1918 v4 network internally. I wonder if you could get by > using only link-local addresses for your internal IPv6 network? I > believe that would solve the problem because your stack would know it > can't connect to a global v6 address from a machine with only link- > local v6 addresses. *This* is a very good hint. A quick check on some machines shows the problem I've described occurs only on machines which have both link-local and global IPv6 addresses assigned to their network interface. However, I've personally installed some of the machines and didn't care about IPv6 settings of the interfaces. So whether a global IPv6 address has been assigned or not seems to depend on the policy of the specific Linux distribution and/or version of the IP stack. >> A good solution would be to let the local DNS server discard IPv6 >> addresses returned from forwarders while maintaining IPv6 suuport for the >> local zone/network, but I currently don't know if/how this can be >> configured for bind 9. > > This may indeed be the best option for your configuration. I wouldn't > call it a good solution, though. I agree, but I assume it will do the job. > Your machines should be able to > handle seeing AAAA records via IPv4-accessible DNS even if they can't > use them. I'd dig into configuring the machines to use IPv6 as a last > resort before considering DNS server-based AAAA filtering. Yes, the problem is to find the right knob to turn in a specific distribution. Anyway, it should be possible to do. Thanks, Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
