Re: suddenly lots of named errors(?) in the log

On Wed, 21 Jan 2009, in the Usenet newsgroup uk.comp.os.linux, in article
<285.4977303a.73733@zem>, Justin C wrote:

]] On 2009-01-20, Justin C <justin.0810@xxxxxxxxxxxxxx> wrote:

]]] name[d12649]: FORMERR resolving 'dns1.suddenyet.com/AAAA/IN':
]]] 79.135.168.145#53

]]] named[12649]: nexpected RCODE (REFUSED) resolving
]]] '92.125.118-125.xdsl.ab.ru/AAAA/IN': 80.71.160.16#53

In both cases, your name server asked some remote name server for an
AAAA (IPv6) record. In both cases, the remote name servers returned
a result code that essentially says "I don't do IPv6".

]]] I'm getting many, many more of the FORMERR log entries, over a
]]] thousand yesterday, and from various domains, but 98.8% of them
]]] are from two IP addresses: 59.63.157.212#53 and
]]] 79.135.168.145#53.

For some reason, you have an application or client host that wants IPv6
addresses. Why is a good question - but in any case, _your_ name server
is attempting to resolve the requests, which may or may not be
desirable. Apparently, these two remote name servers are _aware_ of
IPv6, but are not set up to provide answers. RFC2136 translates the
result codes (defined in RFC1035) as follows:

FORMERR 1 The name server was unable to interpret the request
due to a format error.

REFUSED 5 The name server refuses to perform the specified
operation for policy or security reasons.

This _could_ be because the DNS administrators there didn't see the need
to provide IPv6 data. (IPv6 has been around for 13 years, and will
_probably_ replace IPv4... perhaps before the sun turns super-nova, but
the adoption is proceeding at the pace of a frozen snail.) See RFC4074
for some thoughts about using these result codes for IPv6.

Why you are asking those two servers is a different question - they
may be listed as authoritative for the hosts you are looking for.

]]] named[12649]: lame server resolving 'boysofthelough.com' (in
]]] 'boysofthelough.com'?): 69.20.16.72#53

That MAY BE a different problem - A "lame server" is a server that
does not believe is it authoritative for a domain which has been
delegated to it. I'm not sure why you are having a problem, as things
seem to be resolving at the moment. Could have been a screwup by the
domain registrar, or ednet.co.uk, but RFC4074 suggests it could be a
IPv6 related problem too.

]]] I don't know what the significance of the #53 is.

That's the port number you were asking on the remote server

[compton ~]$ grep -w 53 /etc/services
domain 53/tcp Domain Name Server
domain 53/udp Domain Name Server
[compton ~]$

]]] Googling for 'named' and FORMERR it looks like something to do
]]] with IPv6.

Actually, the key is the AAAA (rather that 'A') request that says IPv6.

]]] We don't need it here so I'm in the process of turning it off,

As I said - "the adoption is proceeding at the pace of a frozen snail"
and that's why.

I wasn't clear on what my Googling found. My Googling suggested
that these reports are down to IPv6, and that, unless it's needed
IPv6 could be turned off.

The reason for that recommendation is that a lot of name servers are
still configured to _ignore_ IPv6 related queries, rather than
returning an immediate FOAD result (or better, a NODATA pseudo-result
per RFC2308) - and that requires the query to time out (seconds) before
your nameserver/resolver tries an IPv4 query. Again, see RFC4074 and
RFC2308 for additional details. It's that extra delay that is
objectionable. Not all name servers are _logging_ these "error"
messages as your system appears to do.

Old guy
.

Relevant Pages

  • Re: unexpected RCODE?
    ... RCODE Response code - this four bit field is undefined in requests ... REFUSED 5 The name server refuses to perform the ... a fundamental of the kernel) asked for an IPv6 address for the host ... request, resulting in a 5-10 second delay while the request times out. ...
    (comp.os.linux.misc)
  • Re: suddenly lots of named errors(?) in the log
    ... your name server asked some remote name server for an ... the remote name servers returned ... a result code that essentially says "I don't do IPv6". ... I'll make sure all clients are switched off tonight, ...
    (uk.comp.os.linux)
  • Re: Was beachten bei IPv6 Firewall?
    ... Da ich keine IPv6 Cliens oder Server laufen habe, ... ip6tables -A OUTPUT -j ACCEPT ... Datenkanele solande es noch kein FTP-Helpermodul fuer ipv6 gibt. ...
    (de.comp.os.unix.networking.misc)
  • Re: Multiple domain name support
    ... on three separate IP addresses on the current mail server. ... It's not trivial -if at all possible- to force sendmail to use ... being forwarded to an IPv4 only host that came in via IPv6. ...
    (comp.mail.sendmail)
  • Re: sendmail problems
    ... I need help to resolve a problem with my sendmail server. ... I use this server to manage mailman lists, ... or are you running IPv6? ...
    (freebsd-questions)