[Pdns-users] IPv4/IPv6 nameserver preference by recursor?

bert hubert bert.hubert at netherlabs.nl
Wed Jun 16 07:14:35 UTC 2010 

On Tue, Jun 15, 2010 at 05:10:11PM -0600, Darren Gamble wrote:
> We just wanted to get some information on how the recursor behaves when
> presented with a NS record set containing both IPv6 and IPv4 addresses,
> and/or if a NS record name has both A and AAAA records.
> 
> If there a preference by the recursor to prefer one protocol over the
> other?

"It depends" - by default, the PowerDNS Recursor is setup for maximum
performance and minimum worries. In this case, that means that you need to
manually enable the use of IPv6 for resolution.

>From the manual:
 query-local-address6

  Send out local IPv6 queries from this address or addresses Disabled by
  default, which also disables outgoing IPv6 support. Since version 3.2,
  multiple addresses can be specified, separated by a comma. 

Since 3.1 or so, when query-local-address6 contains an address (:: works
fine), 'ANY' queries are used to get both the A and AAAA addresses for
nameservers in one go.

IPv4 and IPv6 are treated absolutely equally, which means that the IP4/6
address that answers fastest gets most of the queries. In many cases this
means that IPv4 will win.

The Recursor does not actively seek out IPv6 addresses for a host if it
alread knows an IPv4 address for it and vice versa.

> How does the recursor handle a nameserver name with both A and AAAA
> record types?  Is it capable of using both if one is unreachable?  Is
> there a preference?

So, yes it can and will use both, and it will use the fastest address.

The PowerDNS Recursor can even resolve quite some domains when operating
with *only* IPv6.

>From the log of a recursor with only IPv6:
[1] www.sidn.nl.: Resolved '.' NS c.root-servers.net. to: 192.33.4.12
[1] www.sidn.nl.: Trying IP 192.33.4.12:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: error resolving, possible error: Operation not permitted

[1] www.sidn.nl.: Resolved '.' NS f.root-servers.net. to: 2001:500:2f::f, 192.5.5.241
[1] www.sidn.nl.: Trying IP [2001:500:2f::f]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 19 answers from f.root-servers.net. (2001:500:2f::f), rcode=0, in 149ms

[1] www.sidn.nl.: Resolved 'nl.' NS ns3.nic.nl. to: 2001:610:0:800d::2, 194.171.17.2
[1] www.sidn.nl.: Trying IP [2001:610:0:800d::2]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 9 answers from ns3.nic.nl. (2001:610:0:800d::2), rcode=0, in 6ms

[1] www.sidn.nl.: Resolved 'sidn.nl.' NS open.nlnetlabs.nl. to: 213.154.224.1, 2001:7b8:206:1::53
[1] www.sidn.nl.: Trying IP 213.154.224.1:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: error resolving, possible error: Operation not permitted
[1] www.sidn.nl.: Trying IP [2001:7b8:206:1::53]:53, asking 'www.sidn.nl.|A'
[1] www.sidn.nl.: Got 11 answers from open.nlnetlabs.nl. (2001:7b8:206:1::53), rcode=0, in 5ms
[1] www.sidn.nl.: accept answer 'www.sidn.nl.|A|213.136.31.216' from 'sidn.nl.' nameservers? YES!

Interestingly, when we added the IPv6 %link selection code to the
development tree (by your suggestion), the IPv6 outgoing support got
broken in the progress! 

Your message led me to verify the 'IPv6 only' claim, which uncovered this.

Fix in http://wiki.powerdns.com/trac/changeset/1638 - so please keep asking
the questions ;-)

This bug was never in any released version.

	Bert

More information about the Pdns-users mailing list