Bugzilla – Bug 502
do-ip6: no does not disable ip6 queries.
Last modified: 2014-04-11 09:16:43 CEST
After setting: do-ip6 to no and restarting unbound and doing a "dig -t AAAA google.com @localhost" to my dismay I found I still got ip6 replies. ~% host transip.eu transip.eu has address 95.170.78.50 transip.eu has IPv6 address 2a01:7c8:2305::1337 As a matter of fact checking with lsof the "do-ip6" option disables or enables listening on ip6. It does not disable replying to queries. So what I would expect that incase I set ip6-no -- which I would set if the network stack doesn't support or need it is to disable listening on ip6 _and_ refuse to do lookup of ipv6-addresses. So I get this answer: ~% host transip.eu transip.eu has address 95.170.78.50
Hi Han, This is intentional. It is possible (perhaps even common) for IPv6 capable hosts to query for the IPv6 addresses over IPv4 DNS. Thus, disabling the ipv6 sockets on the DNS server should not impact the resolution of the AAAA resource records. Denial of such resolution could even give security fails if DNSSEC is enabled. I believe BIND may have some sort of option that disables AAAA lookups for people that query over IPv4. Basically, the hosts should not query for IPv6 if they cannot use it (properly), hence the IPv6 service is fine. If your hosts all do something awful (teredo?, 6to4?, tunneling is what I heard is the biggest issue (at the RIPE conference)) with ipv6 and you want to turn off ipv6, the host configuration gives you the best network configuration (well, in the end). Again, unbound does not have these weird hacks to work around brokenness, but you could script them yourself with the python scripting if you really wanted to. Or perhaps, your network is not broken, but you have been surprised by the documentation of do-ip6 (and that does sound a little too general)? Best regards, Wouter
> I believe BIND may have some sort of option that disables AAAA lookups for > people that query over IPv4. While BIND has some features of that kind, they are not really usable.
Hi Han, Added documentation to the man page to explain that AAAA lookups occur while do-ip6 is no. Best regards, Wouter