On 2016-11-22 Adam Thompson wrote:
Well, it's not a bind(8) problem. Nor is it a generic libc problem, by the sounds of it. The GSSAPI thing is a royal PITA - I have to turn it off for significant numbers of hosts in ~/.ssh/config, and
OK, I guess I'll disable GSSAPI in my confs too since it seems to have no upside (I never need to connect to a AD), and from what I've read on the net it can cause more problems besides mine.
Wonder why ssh now turns it on by default when it seems so unlikely to be used.
#1700). I suppose it could be a libc bug... you'd think it would affect more than just host(1) and sshd(8), though...?
It very well might... I just notice it in those 2 right now. Well, and dig, but dig won't hang like host/ssh does.
Or is that the extent of software that normally does reverse lookups nowadays? In
I'm not sure what I'm describing is reverse lookups, is it?
the problematic host(1) call, add "-d", and specify "A" records only using "-t", is the best I can suggest.
Yes, aliasing host to host -t A is a good bandaid option.
You can also influence resolver behaviour with /etc/gai.conf and /etc/host.conf - not sure
Wow, didn't know about those. They could be handy, esp gai.conf. However, I just played with them both and they won't help here. You can use gai to reorder the results so programs prefer 6 or 4, but they'll still return all the entries (4&6). It appears Fedora still has 4 as preferred(? as gai.conf on Fed is empty!), though lots of Ubuntu chatter about it preferring 6 and how to do it.
Interestingly, a doc I read said that most apps will ignore gai.conf anyhow. I ran a test with atime on and confirmed that nearly every command line net app I could think of ignores gai.conf as the atime never changes. The only way I could get gai.conf read was by doing a manual getaddrinfo() with sample code: import socket print ', '.join(map(lambda x: x[4][0], socket.getaddrinfo('pool.ntp.org', 123, 0, socket.SOCK_DGRAM)))
Perhaps most progs don't use getaddrinfo, and use some other syscall instead.
Even though it didn't help, I'm glad I now know about gai.conf!
Maybe I should now reformulate the crux of my problem as this: Can I configure bind to return for all AAAA requests in the local zone "I'm authoritative but I don't have the answer" instead of SERVFAIL *even if the subzone has been delegated*. Or even specify a delegation for certain records (A & MX) only (not AAAA), though I specifically read somewhere that that's impossible on purpose.
I think the next step is to hit the BIND mailing list to see if they think it's a bug or even an issue that needs thinking about.
Either that or I'm doing an entirely unsupported, insane thing with my BIND having 2 different authoritative NSs each with a different idea of what the zone contents should be (though mostly overlappping). :-)