Maintained by: NLnet Labs

[Unbound-users] C-root IPv6 patch

Anand Buddhdev
Sun Mar 30 23:28:29 CEST 2014


On 30/03/2014 22:31, Stephan Lagerholm wrote:

>> Well, not applying the patch won't prevent your cache from trying C-
>> root's IPv6 address, because a priming query will give you the IPv6
>> address. The patch just makes unbound's internal hints consistent with
>> the published root hints and the priming query.
> 
> Good point, I guess the right thing to do is to add 
> do-not-query-address: 2001:500:2::c
> to unbound's configuration file until the issues are resolved.

I just queried all IPv6-enabled root name servers from 51 RIPE Atlas
anchors (it will take a few days to update DNSMON). The numbers below
show how many probes successfully got responses:

A  51
C  48
D  51
F  51
H  51
I  49
J  51
K  51
L  47
M  50

As you can see, it's not just C-root that's not widely reachable. Some
other root name servers also show some reachability issues. Have you
tested all the other root name servers from your location? If they are
unreachable, will you also blacklist them?

However, this discussion is diverging from unbound to general roor name
server reachability, so bringing this back to unbound, I still think its
hints should be kept up to date. And I know that unbound will remember
unreachable name servers, and make fewer queries towards them. I don't
think the occasional timeout is worth worrying about.

Regards,

Anand Buddhdev