[RndTbl] help! dns zone delegation wonky for AAAA

Thu Nov 24 01:42:16 CST 2016

On 2016-11-22 Adam Thompson wrote:
> Well, it's not a bind(8) problem.  Nor is it a generic libc problem,
> by the sounds of it. The GSSAPI thing is a royal PITA - I have to
> turn it off for significant numbers of hosts in ~/.ssh/config, and

OK, I guess I'll disable GSSAPI in my confs too since it seems to have
no upside (I never need to connect to a AD), and from what I've read on
the net it can cause more problems besides mine.

Wonder why ssh now turns it on by default when it seems so unlikely to
be used.

> #1700). I suppose it could be a libc bug...  you'd think it would
> affect more than just host(1) and sshd(8), though...?

It very well might... I just notice it in those 2 right now.  Well, and
dig, but dig won't hang like host/ssh does.

> Or is that the
> extent of software that normally does reverse lookups nowadays? In

I'm not sure what I'm describing is reverse lookups, is it?

> the problematic host(1) call, add "-d", and specify "A" records only
> using "-t", is the best I can suggest.

Yes, aliasing host to host -t A is a good bandaid option.

> You can also influence
> resolver behaviour with /etc/gai.conf and /etc/host.conf - not sure

Wow, didn't know about those.  They could be handy, esp gai.conf.
However, I just played with them both and they won't help here.  You
can use gai to reorder the results so programs prefer 6 or 4, but
they'll still return all the entries (4&6).  It appears Fedora still
has 4 as preferred(? as gai.conf on Fed is empty!), though lots of
Ubuntu chatter about it preferring 6 and how to do it.

Interestingly, a doc I read said that most apps will ignore gai.conf
anyhow.  I ran a test with atime on and confirmed that nearly every
command line net app I could think of ignores gai.conf as the atime
never changes.  The only way I could get gai.conf read was by doing a
manual getaddrinfo() with sample code:
import socket
print ', '.join(map(lambda x: x[4][0], 
  socket.getaddrinfo('pool.ntp.org', 123, 0, socket.SOCK_DGRAM)))

Perhaps most progs don't use getaddrinfo, and use some other syscall
instead.

Even though it didn't help, I'm glad I now know about gai.conf!

Maybe I should now reformulate the crux of my problem as this:
Can I configure bind to return for all AAAA requests in the local zone
"I'm authoritative but I don't have the answer" instead of SERVFAIL
*even if the subzone has been delegated*.  Or even specify a delegation
for certain records (A & MX) only (not AAAA), though I specifically
read somewhere that that's impossible on purpose.

I think the next step is to hit the BIND mailing list to see if they
think it's a bug or even an issue that needs thinking about.

Either that or I'm doing an entirely unsupported, insane thing with my
BIND having 2 different authoritative NSs each with a different idea of
what the zone contents should be (though mostly overlappping).  :-)