On Wed, Jun 30, 2021 at 9:20 PM Bruce Momjian <bruce@momjian.us> wrote:
>
> On Wed, Jun 30, 2021 at 12:53:24PM -0400, Tom Lane wrote:
> > Bruce Momjian <bruce@momjian.us> writes:
> > > On Tue, Jun 29, 2021 at 11:26:54PM -0400, Tom Lane wrote:
> > >> My buildfarm animals frequently complain of being unable to contact the
> > >> buildfarm server. Sometimes there's an identifiable problem at my end,
> > >> but usually not. A typical error looks like
> > >> error getting branches of interest: 500 Can't connect to buildfarm.postgresql.org:443 (Network is unreachable)
at./run_branches.pl line 199.
> >
> > > OK, thanks. When no one said they saw similar behavior, I started
> > > digging deeper. It seems on Debian 10, bind/named uses IPv6 by default,
> > > and my ISP, Verison FIOS, doesn't support IPv6 yet; see:
> > > https://www.reddit.com/r/Fios/comments/li4ri7/does_fios_support_ipv6/
> >
> > Oh, that's an interesting point. I have no IPv6 connectivity here either.
> > I'd figured out some time ago that with recent bind versions I need to use
> > named's "-4" option to prevent DNS lookup timeouts ... but now I see that
> > that doesn't stop it from returning IPv6 addresses. I wonder if the
> > failures occur when my animals try to use the buildfarm server's IPv6
> > address. I'll try the hack mentioned in the serverfault thread.
>
> Oh, I used the -4 option and my failures stopped. Glad this thread was
> helpful for you too. I never expected IPv6 to lead to failures, just
> possible delays, but I have now learned, at least with DNS, it can cause
It shouldn't.
I regularly work from networks with no native ipv6 and these things
work perfectly fine.
Do you have an actual public ipv6 address on your system, and it just
doesn't work? Like maybe a tunnel you set up at some point that
doesn't work? If not it seems very strange that it should even try to
get out over ipv6.
> failures too. I will also add the bind options mentioned to disable
> dnssec and aaaa records.
You should *not* disable dnssec. It's an important security feature.
Filtering them in the DNS response sounds more like trying to apply a
crude workaround.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/