Re: DNS lookup for git.postgresql.org

On Wed, Jun 30, 2021 at 11:04:23PM +0200, Magnus Hagander wrote:
> On Wed, Jun 30, 2021 at 9:20 PM Bruce Momjian <bruce@momjian.us> wrote:
> > Oh, I used the -4 option and my failures stopped.  Glad this thread was
> > helpful for you too.  I never expected IPv6 to lead to failures, just
> > possible delays, but I have now learned, at least with DNS, it can cause
> 
> It shouldn't.
> 
> I regularly work from networks with no native ipv6 and these things
> work perfectly fine.

Yes, I am confused, but as you can see from the logs I posted, bind is
occasionally failing.

> Do you have an actual public ipv6 address on your system, and it just
> doesn't work? Like maybe a tunnel you set up at some point that
> doesn't work? If not it seems very strange that it should even try to
> get out over ipv6.

I have no IPv6 IP address and never use tunnels.  I just did a grep for
"ipv6" in /etc and found only default commented-out lines in
sysctl.conf.  Where else would I look?

> > failures too.  I will also add the bind options mentioned to disable
> > dnssec and aaaa records.
> 
> You should  *not* disable dnssec. It's an important security feature.
> Filtering them in the DNS response sounds more like trying to apply a
> crude workaround.

So just using "filter-aaaa-on-v4 break-dnssec" and not using
"dnssec-enable no" is what you recommend?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.