[ntp:questions] http://www.ntp.org/ => a blank page?

Martin Burnicki martin.burnicki at meinberg.de
Thu Mar 5 10:14:36 UTC 2009


Rob wrote:
> Steve Kostecke <kostecke at ntp.org> wrote:
>>> But it has two IPv4 addresses. Under the address 204.152.184.138 it
>>> works OK.
>>
>> That's our off-site back-up.
> 
> Well, in DNS it says:
> www.ntp.org has address 128.4.35.16
> www.ntp.org has address 204.152.184.138
> www.ntp.org has IPv6 address 2001:4f8:0:2::23

The IPv6 entry in the DNS may lead to another error on a local site which we
have recently encountered.

I'm explicitely pointing out that what I describe below is *not* a problem
of the NTP site, even though users may think so after the first glance.
Anyway, I'd like to mention this here just for the records.

The problem we've been observing was that we have been unable to access e.g.
support.ntp.org, www.isc.org and some other sites from some machines in our
local intranet, even using different browsers. The browsers returned an
error, or the page was displayed only after quite a number of seconds
delay. From other machines on our local intranet access to those sites was
fast and without problems.

After some digging around we found out the problem occurs only if the DNS
server also returns an IPv6 address for this site.

Our intranet is behind a NAT router which only has IPv4 connection to our
ISP. If both an IPv4 and IPv6 address for a host on the internet is
returned then applications may try to connect via IPv6 first, which fails
in this case.

Interestingly, some application/machines try to use IPv4 first, whereas
others try to use IPv6 first. I'm not sure whether this is a global
configuration option of the IP stack, or due to the application. A good way
to see what's going on is to use wget. 

On a SuSE Linux 9.3 machine using wget 1.10 the IPv4 address is used first,
so the program succeeds:

# wget http://support.ntp.org
--10:37:14--  http://support.ntp.org/
           => `index.html'
Resolving support.ntp.org... 204.152.184.138, 2001:4f8:0:2::23
Connecting to support.ntp.org|204.152.184.138|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://support.ntp.org/bin/view/Main/WebHome [following]
--10:37:14--  http://support.ntp.org/bin/view/Main/WebHome
           => `WebHome'
Reusing existing connection to support.ntp.org:80.
HTTP request sent, awaiting response... 200 OK
Length: 34,199 (33K) [text/html]
10:37:19 (9.83 KB/s) - `WebHome' saved [34199/34199]

On a openSUSE 11.1 machine running wget 1.11.4 and also on a recent Ubuntu
machine the IPv6 address is used first:

# wget http://support.ntp.org
--2009-03-05 10:38:33--  http://support.ntp.org/
Resolving support.ntp.org... 2001:4f8:0:2::23, 204.152.184.138
Connecting to support.ntp.org|2001:4f8:0:2::23|:80... failed: Connection
timed out.
Connecting to support.ntp.org|204.152.184.138|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://support.ntp.org/bin/view/Main/WebHome [following]
--2009-03-05 10:41:46--  http://support.ntp.org/bin/view/Main/WebHome
Reusing existing connection to support.ntp.org:80.
HTTP request sent, awaiting response... 200 OK
Length: 34199 (33K) [text/html]
Saving to: `WebHome'

The IPv4 address is used only after the IPv6 address has timed out, even
though (as far as I understand it) the DNS server first returns an IPv4
address, then an IPv6 address:

# host support.ntp.org
support.ntp.org has address 204.152.184.138
support.ntp.org has IPv6 address 2001:4f8:0:2::23

I know a possible solution would be to use a IPv6-over-IPv4 tunnel to the
internet. However, if this has not been set up then access may fail for a
reason which is not obvious.

AFAIK some browsers, e.g. Firefox, can be configured to prefer either IPv4
or IPv6, so this can be solved without a tunnel.

A good solution would be to let the local DNS server discard IPv6 addresses
returned from forwarders while maintaining IPv6 suuport for the local
zone/network, but I currently don't know if/how this can be configured for
bind 9.

Danny, any ideas?  ;-))


Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany




More information about the questions mailing list