Maintained by: NLnet Labs

[Unbound-users] C-root IPv6 patch

Stephan Lagerholm
Sun Mar 30 22:31:29 CEST 2014


Hi Anand,

> Hi Stephan,
> 
> > There are still peering issues with that particular operator over
> > IPv6. At least from where I try:
> >
> > stephan at pi:~$ dig -6 @a.root-servers.net . SOA +short
> > a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900
> 604800
> > 86400
> >
> > stephan at pi:~$ dig -6 @c.root-servers.net . SOA +short ; <<>> DiG
> > 9.9.2-rpz+rl.094.21-P2 <<>> -6 @c.root-servers.net . SOA +short ; (1
> > server found) ;; global options: +cmd ;; connection timed out; no
> > servers could be reached
> >
> > stephan at pi:~$ dig -4 @c.root-servers.net . SOA +short
> > a.root-servers.net. nstld.verisign-grs.com. 2014033001 1800 900
> 604800
> > 86400
> >
> > So before you apply the patch or change your roots-hints file,
please
> > check that you have v6 connectivity.
> 
> Well, not applying the patch won't prevent your cache from trying C-
> root's IPv6 address, because a priming query will give you the IPv6
> address. The patch just makes unbound's internal hints consistent with
> the published root hints and the priming query.


Good point, I guess the right thing to do is to add 
do-not-query-address: 2001:500:2::c
to unbound's configuration file until the issues are resolved.

> > It is unfortunate that the v6 address of c-root is not reachable
> > everywhere on the internet. Maybe you or somebody else can check
> > connectivity via the atlas probes?
> 
> We'll add C-root's IPv6 address to DNSMON soon, and that should reveal
> routing problems. 

Let me know your findings. I'm very interested in knowing that critical
infrastructure such as root servers are globally reachable.

> However, I will also notify my contacts at Cogent (C-
> root operator) about this issue. Thanks for alerting us to it.

Bake them another cake,
http://tech.slashdot.org/story/09/10/23/1715235/peering-disputes-migrate
-to-ipv6

/S