[ntp:questions] http://www.ntp.org/ => a blank page?

Danny Mayer mayer at ntp.org
Sun Mar 8 17:32:57 UTC 2009

Martin Burnicki wrote:
> Rob wrote:
>> Steve Kostecke <kostecke at ntp.org> wrote:
>>>> But it has two IPv4 addresses. Under the address it
>>>> works OK.
>>> That's our off-site back-up.
>> Well, in DNS it says:
>> www.ntp.org has address
>> www.ntp.org has address
>> www.ntp.org has IPv6 address 2001:4f8:0:2::23
> The IPv6 entry in the DNS may lead to another error on a local site which we
> have recently encountered.
> I'm explicitely pointing out that what I describe below is *not* a problem
> of the NTP site, even though users may think so after the first glance.
> Anyway, I'd like to mention this here just for the records.
> The problem we've been observing was that we have been unable to access e.g.
> support.ntp.org, www.isc.org and some other sites from some machines in our
> local intranet, even using different browsers. The browsers returned an
> error, or the page was displayed only after quite a number of seconds
> delay. From other machines on our local intranet access to those sites was
> fast and without problems.
> After some digging around we found out the problem occurs only if the DNS
> server also returns an IPv6 address for this site.

The DNS will always return what is requested. An AAAA record is just as
valid as an A record. If your client requests only A records if will
return just A records. If it is not specific it will return both.

> Our intranet is behind a NAT router which only has IPv4 connection to our
> ISP. If both an IPv4 and IPv6 address for a host on the internet is
> returned then applications may try to connect via IPv6 first, which fails
> in this case.

The NAT router needs to be replaced. IPv6 has been around for a very
long time and there is no excuse for a manufacturer not to support IPv6
as well as IPv4.

> Interestingly, some application/machines try to use IPv4 first, whereas
> others try to use IPv6 first. I'm not sure whether this is a global
> configuration option of the IP stack, or due to the application. A good way
> to see what's going on is to use wget. 

If the client is using getaddrinfo() and is not specific about which
type of address it wants it will get back both. You can specify to
getaddrinfo() just one or the other. The older gethostbyname() only
supports IPv4 addresses and that's all you will get, but it's still
present in a lot of applications.

> I know a possible solution would be to use a IPv6-over-IPv4 tunnel to the
> internet. However, if this has not been set up then access may fail for a
> reason which is not obvious.

The solution to this is to support IPv6. IPv6-over-IPv4 is a hack that
should go away.

> AFAIK some browsers, e.g. Firefox, can be configured to prefer either IPv4
> or IPv6, so this can be solved without a tunnel.
> A good solution would be to let the local DNS server discard IPv6 addresses
> returned from forwarders while maintaining IPv6 suuport for the local
> zone/network, but I currently don't know if/how this can be configured for
> bind 9.
> Danny, any ideas?  ;-))

That cannot be done. Your DNS accepts all requests and returns the
results based on the request. Why are you using forwarders? They
shouldn't be used unless you absolutely have to. It makes you dependent
on the system to whom you are forwarding queries and you get no benefit
from that. You should be doing your own requests. I know of two use
cases that require the use of forwarders. I doubt that they apply to you
and one of those cases doesn't apply to queries outside your network.


> Martin

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list