Resolving order aaaa / a with unqualified / qualified names

Today I decided to change ordering in resolv.conf so ipv6
addresses
would be found first by placing the zone I created for ipv6
addresses first
(next step will be to eliminate the special ipv6 zone and
just put all ipv6
adresses in the main zone so ipv4-with-natted addresses will
be the special
case and ipv6 the default).

But ssh still defaulted to ipv4 addresses for unqualified
names and
ipv6 for qualified names, and with some testing I saw other
applications
default the same (telnet, ftp). The best way to show this is
with telnet:

telnet gosper
Trying 10.42.2.1...
Trying 2001:888:1011::694...

telnet gosper.idefix.net
Trying 2001:888:1011::694...
Trying 82.95.196.202...

in /etc/resolv.conf 
search tz.idefix.net koos.koffie.dot idefix.net
the idea is to find gosper.tz.idefix.net (ipv6 only) before
gosper.koos.koffie.dot (ipv4 only). gosper.idefix.net has
both.

What is causing this? Can I change this behaviour?

ii  libc6          2.3.6.ds1-13et GNU C Library: Shared
libraries
ii  telnet         0.17-34        The telnet client
ii  ssh            4.3p2-9        Secure shell client and
server (transitional

Forcing the protocol with -6 works, but my idea is to make
IPv6 the
default without having to think about it.

Websearches about this subject find big flamewars about
ipv6/ipv4/broken
resolvers so I'd thought I'd ask nicely in the debian-ipv6
users list.

                                                    Koos van
den Hout

-- 
Koos van den Hout,           PGP keyid DSS/1024 0xF0D7C263
via keyservers
kooskzdoos.xs4all.nl        or RSA/1024 0xCA845CB5       
                -?)
Fax +31-30-2817051              Visit the site about books
with reviews    /\
http://idefix.net/~koos/
               http://www.virtualboo
kcase.com/   __V

On Thu, 2007-10-25 at 21:17 +0200, Koos van den Hout wrote:
> Today I decided to change ordering in resolv.conf so
ipv6 addresses
> would be found first by placing the zone I created for
ipv6 addresses first
> (next step will be to eliminate the special ipv6 zone
and just put all ipv6
> adresses in the main zone so ipv4-with-natted addresses
will be the special
> case and ipv6 the default).

All of the addresses in the search list are resolved in
parallel and it
is likely that the IPv4 address is resolved faster than the
IPv6 one, so
that gets used.

I believe what happens is that the name for the first
successful
response from the search list will be used, and an AAAA
response to that
name will be used in preference to an A response.

This means that because your IPv4 address responds quickly,
but no AAAA
response is returned for that name, you end up connecting to
the IPv4
address.

Rather than having the IPv6 and IPv4 addresses in separate
domains,
wouldn't it be simpler to just add AAAA records in the first
domain?
That's what I do and I seem to get the IPv6 connection every
time.

andrewhippy:~$ telnet boole
Trying 2404:130:0:1000::82:0...
Trying 192.168.2.82...

vs.

andrewhippy:~$ telnet boole.wgtn.cat-it.co.nz
Trying 2404:130:0:1000::82:0...
Trying 192.168.2.82...


> in /etc/resolv.conf 
> search tz.idefix.net koos.koffie.dot idefix.net
> the idea is to find gosper.tz.idefix.net (ipv6 only)
before
> gosper.koos.koffie.dot (ipv4 only). gosper.idefix.net
has both.
> 
> What is causing this? Can I change this behaviour?

What are you trying to achieve by having the IPv4 only set
at all?  Or
even by having the IPv6 only set?

Cheers,
					Andrew McMillan.

------------------------------------------------------------
-------------
Andrew  Catalyst .Net .NZ  Ltd,  PO Box 11-053, Manners St, 
Wellington
WEB: http://catalyst.net.nz/  
         PHYS: Level 2, 150-154 Willis St
DDI: +64(4)803-2201      MOB: +64(272)DEBIAN      OFFICE:
+64(4)499-2267
Bruce Schneier can log into any computer just by staring
down the prompt.
------------------------------------------------------------
-------------

Quoting Andrew McMillan who wrote on Fri 2007-10-26 at
08:48:

[..]

> Rather than having the IPv6 and IPv4 addresses in
separate domains,
> wouldn't it be simpler to just add AAAA records in the
first domain?

That is what I was going to do next. When I try that the
order indeed
changes.

> > in /etc/resolv.conf 
> > search tz.idefix.net koos.koffie.dot idefix.net
> > the idea is to find gosper.tz.idefix.net (ipv6
only) before
> > gosper.koos.koffie.dot (ipv4 only).
gosper.idefix.net has both.
> > 
> > What is causing this? Can I change this
behaviour?
> 
> What are you trying to achieve by having the IPv4 only
set at all?  Or
> even by having the IPv6 only set?

It grew that way historically: keeping rfc1918 addresses out
of public dns
and having ipv6 addresses in a separate zone. I decided
today to go towards
having ipv6 preferred for everything and ipv4-legacy-nat for
applications
that don't support ipv6 yet (for example nfs).

Thanks for your insights!

Time to dump the separate ipv6 zone: that does NOT help
moving towards
ipv6.

                                             Koos van den
Hout

-- 
The Virtual Bookcase, the site about books, book    | Koos
van den Hout
news and reviews http://www.virtualboo
kcase.com/    | http://idefix.net/~koos/

PGP keyid DSS/1024 0xF0D7C263 or RSA/1024 0xCA845CB5| Fax
+31-30-2817051

Quoting Koos van den Hout who wrote on Thu 2007-10-25 at
22:12:

> > Rather than having the IPv6 and IPv4 addresses in
separate domains,
> > wouldn't it be simpler to just add AAAA records in
the first domain?
> 
> That is what I was going to do next. When I try that
the order indeed
> changes.

For certain client / name combinations. For other
combinations:

$ telnet gosper
Trying 2001:888:1011::694...
Trying 82.95.196.202...
telnet: Unable to connect to remote host: Connection
refused

$ telnet jobs
Trying 10.42.2.4...
Trying 2001:888:1011:0:250:daff:febd:5645...
telnet: Unable to connect to remote host: Connection
refused

resolv.conf now has:

search idefix.net koos.koffie.dot

Confusing...

                                          Koos

-- 
Koos van den Hout,           PGP keyid DSS/1024 0xF0D7C263
via keyservers
kooskzdoos.xs4all.nl        or RSA/1024 0xCA845CB5       
                -?)
Fax +31-30-2817051              Visit the site about books
with reviews    /\
http://idefix.net/~koos/
               http://www.virtualboo
kcase.com/   __V

On Oct 25, 2007, at 15:48, Andrew McMillan wrote:
> On Thu, 2007-10-25 at 21:17 +0200, Koos van den Hout
wrote:
>> Today I decided to change ordering in resolv.conf
so ipv6 addresses
>> would be found first by placing the zone I created
for ipv6  
>> addresses first
>> (next step will be to eliminate the special ipv6
zone and just put  
>> all ipv6
>> adresses in the main zone so ipv4-with-natted
addresses will be  
>> the special
>> case and ipv6 the default).
>
> All of the addresses in the search list are resolved in
parallel  
> and it
> is likely that the IPv4 address is resolved faster than
the IPv6  
> one, so
> that gets used.

I really hope that's not it.  It would be an excellent
argument for  
abandoning domain search lists, since on other systems you
get to  
express a preference order.

Assuming that's not the case, my guess is that the code
searches  
first for an A record through the domain search list, and if
it's not  
found, searches again for an AAAA record in case it's an
IPv6-only  
host; if it finds an A record, it probably then asks for an
AAAA  
record for the same FQDN.  The fairly obvious problem with
this is  
that an IPv6-only host may be skipped over for an
IPv4-and-IPv6 host  
if the user is asking for both address types, or IPv4 only. 
(Should  
you get back a no-address answer if an IPv6 host comes first
and  
you're only asking for IPv4?  My guess is, probably.)  You
(well, the  
original poster) could test this by using tcpdump or similar
programs  
to watch DNS exchanges while looking up the names.

As I understand it, the issue is with the internal
nameserver query  
APIs -- you get an interface like "search the domain
search list for  
this name and record type", so you make two passes if
necessary,  
first with type A and then type AAAA it sounds like.  There
isn't an  
interface (last I looked) to search for any in a set of RR
types.   
You could ask for "any RR type", but then you
increase the traffic  
(lots of data coming back that you don't care about and will
just  
throw away), and you get positive matches for names you
probably do  
want to skip over, for example if a site has a wildcard MX
record.   
And as far as I know there isn't a "resume search list
where we left  
off" interface either.  So it might be doable, but the
easiest and  
cleanest way may require updating the resolver APIs.  (To be
fair, I  
haven't looked at them in a while, so maybe someone's
already doing  
that.)

Ken


-- 
To UNSUBSCRIBE, email to debian-ipv6-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org

Koos van den Hout wrote:

> For certain client / name combinations. For other
combinations:
>
> Confusing...

A known glibc bug in etch:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428
434>. There is no
fix for etch.


Regards
Friedemann


-- 
To UNSUBSCRIBE, email to debian-ipv6-REQUESTlists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmasterlists.debian.org

Quoting Friedemann Stoyan who wrote on Fri 2007-10-26 at
06:59:

> Koos van den Hout wrote:
> 
> > For certain client / name combinations. For other
combinations:
> >
> > Confusing...
> 
> A known glibc bug in etch:
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428
434>. There is no
> fix for etch.

That's the one. Thanks.

                                              Koos

-- 
Koos van den Hout,           PGP keyid DSS/1024 0xF0D7C263
via keyservers
kooskzdoos.xs4all.nl        or RSA/1024 0xCA845CB5       
                -?)
Fax +31-30-2817051              Visit the site about books
with reviews    /\
http://idefix.net/~koos/
               http://www.virtualboo
kcase.com/   __V