[opensuse] openSUSE, OpenWRT and IPv6 / disabling IPv6?
Since I switched my Internet router from a Fritz!Box back to an OpenWRT router, I have the problem, that several programs (especially Apache in proxy mode) randomly try to connect external sites using IPv6, which fails.
From /var/log/apache2/error_log: [Fri Oct 02 09:37:55.577280 2015] [proxy:error] [pid 27925] (101)Network is unreachable: [client 127.0.0.1:43218] AH00939: CONNECT: attempt to connect to [2a02:2e0:3fe:1001:7777:772e:2:85]:80 (www.heise.de) failed
My setup: * Router: OpenWrt Backfire 10.03.1 (Dnsmasq version 2.55) connected with a Congstar cable modem * openSUSE 13.2 with static IPv4 configuration with Wicked * Congstar cable provider (Congstar DNS server 5.61.190.6 replies DNS queries with A (IPv4) and AAAA (IPv6) records; no IPv6 networking) * Apache 2.4.10 configured with proxy modules (proxy_module, proxy_connect_module, proxy_ftp_module, proxy_http_module, proxy_html_module) I already tried to prioritize IPv4 DNS using /etc/gai.conf: precedence ::ffff:0:0/96 100 scopev4 ::ffff:169.254.0.0/112 2 scopev4 ::ffff:127.0.0.0/104 2 scopev4 ::ffff:0.0.0.0/96 14 How I can repair broken IPv6 setup or disable IPv6? Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-02 09:53, Bjoern Voigt wrote:
Since I switched my Internet router from a Fritz!Box back to an OpenWRT router, I have the problem, that several programs (especially Apache in proxy mode) randomly try to connect external sites using IPv6, which fails.
Is your machine using asking dnsmasq on the router, or another external DNS? The former would make a difference when switching a router. And in that case you would have to investigate it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Since I switched my Internet router from a Fritz!Box back to an OpenWRT router, I have the problem, that several programs (especially Apache in proxy mode) randomly try to connect external sites using IPv6, which fails. Is your machine using asking dnsmasq on the router, or another external DNS? The former would make a difference when switching a router. And in
On 2015-10-02 09:53, Bjoern Voigt wrote: that case you would have to investigate it. openSUSE box' resolv.conv points to the routers DNS resolver (dnsmasq). Dnsmasq on the router forwards Internet queries to the
Carlos E. R. wrote: providers DNS server. I get A and AAAA records on the openSUSE box and on the router: openSUSE box: $ host www.heise.de www.heise.de has address 193.99.144.85 www.heise.de has IPv6 address 2a02:2e0:3fe:1001:7777:772e:2:85 openSUSE box with DNS address of the router explicit: $ host www.heise.de 192.168.0.1 Using domain server: Name: 192.168.0.1 Address: 192.168.115.1#53 Aliases: www.heise.de has address 193.99.144.85 www.heise.de has IPv6 address 2a02:2e0:3fe:1001:7777:772e:2:85 On the router ("host" is not available here): $ nslookup www.heise.de Server: 127.0.0.1 Address 1: 127.0.0.1 localhost. Name: www.heise.de Address 1: 2a02:2e0:3fe:1001:7777:772e:2:85 www.heise.de Address 2: 193.99.144.85 www.heise.de Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-02 11:13, Bjoern Voigt wrote:
openSUSE box' resolv.conv points to the routers DNS resolver (dnsmasq). Dnsmasq on the router forwards Internet queries to the providers DNS server.
I get A and AAAA records on the openSUSE box and on the router:
openSUSE box: $ host www.heise.de www.heise.de has address 193.99.144.85 www.heise.de has IPv6 address 2a02:2e0:3fe:1001:7777:772e:2:85
Well, as you get an IPv6 address, openSUSE tries it. Or sometimes tries it. I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6. However, you can disable IPv6 completely on your machine. Or you could try to add: precedence ::ffff:0:0/96 100 to "/etc/gai.conf" -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2015-10-02 12:19, Carlos E. R. wrote:
I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6.
I found a trick for Ubuntu. Edit "/etc/default/bind9": # run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-4 -u bind" I don't know what would be the equivalent for openSUSE, but anyway, you are not using bind. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-10-02 12:19, Carlos E. R. wrote:
I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6.
I found a trick for Ubuntu. Edit "/etc/default/bind9":
# run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-4 -u bind"
I haven't checked, but I think that only instructs bind to use IPv4 for lookups, that's all. -- Per Jessen, Zürich (12.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Quoting Per Jessen <per@computer.org>:
Carlos E. R. wrote:
On 2015-10-02 12:19, Carlos E. R. wrote:
I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6 I found a trick for Ubuntu. Edit "/etc/default/bind9": # run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-4 -u bind" I haven't checked, but I think that only instructs bind to use IPv4 for lookups, that's all.
Correct, this does *NOT* disable IPv6 resolution. You can perform IPv6 lookups over IPv4 and vice-versa; it only instructs the bind server how to perform operations. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6.
No, that is not correct. The DNS server only supplies an IPv6 address when asked (AAAA lookup). 'host' does two lookups, one for A, one for AAAA. Then it is up to the local system to figure out what to do with the answers. When gai.conf is left as default, IPv6 is preferred over IPv4, with fallback to IPv4. Works fine on every one of my openSUSE boxes. Björn, on your machine where you have the unwanted IPv6 connection attempts, what does your network look like? Please post output: ip addr show ip route show ip -6 route show ping www.heise.de ping6 www.heise.de -- Per Jessen, Zürich (12.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-02 13:05, Per Jessen wrote:
'host' does two lookups, one for A, one for AAAA. Then it is up to the local system to figure out what to do with the answers.
When gai.conf is left as default, IPv6 is preferred over IPv4, with fallback to IPv4. Works fine on every one of my openSUSE boxes.
Only if you have IPv6 internet. I don't. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-10-02 13:05, Per Jessen wrote:
'host' does two lookups, one for A, one for AAAA. Then it is up to the local system to figure out what to do with the answers.
When gai.conf is left as default, IPv6 is preferred over IPv4, with fallback to IPv4. Works fine on every one of my openSUSE boxes.
Only if you have IPv6 internet. I don't.
Actually it works fine when you don't have it too. -- Per Jessen, Zürich (14.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-02 14:21, Per Jessen wrote:
Only if you have IPv6 internet. I don't.
Actually it works fine when you don't have it too.
Prior to me changing the gai.conf policy, I had some network failures when some program attempted to contact a place on IPv6 instead of IPv4. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-10-02 14:21, Per Jessen wrote:
Only if you have IPv6 internet. I don't.
Actually it works fine when you don't have it too.
Prior to me changing the gai.conf policy, I had some network failures when some program attempted to contact a place on IPv6 instead of IPv4.
I think the only time I have seen it has been with zypper when an IPv4 address/mirror is unreachable and it has to fall back to IPv6 - the error is then be reported as if it is an IPv6 problem, when in fact it is lack of an IPv4 connection. -- Per Jessen, Zürich (16.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-02 16:45, Per Jessen wrote:
Carlos E. R. wrote:
Prior to me changing the gai.conf policy, I had some network failures when some program attempted to contact a place on IPv6 instead of IPv4.
I think the only time I have seen it has been with zypper when an IPv4 address/mirror is unreachable and it has to fall back to IPv6 - the error is then be reported as if it is an IPv6 problem, when in fact it is lack of an IPv4 connection.
Yes, that problem is typical. I had some other problem, but I don't recall it. Apparently I did not write a note. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Per Jessen wrote:
Carlos E. R. wrote:
I'm not aware of a method to tell the DNS server not to provide IPv6 answers, which is what would be needed when the ISP does not provide IPv6. No, that is not correct. The DNS server only supplies an IPv6 address when asked (AAAA lookup).
'host' does two lookups, one for A, one for AAAA. Then it is up to the local system to figure out what to do with the answers.
When gai.conf is left as default, IPv6 is preferred over IPv4, with fallback to IPv4. Works fine on every one of my openSUSE boxes.
Björn, on your machine where you have the unwanted IPv6 connection attempts, what does your network look like? Please post output:
ip addr show ip route show ip -6 route show
ping www.heise.de ping6 www.heise.de Ok, this is the output of the commands:
# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether 70:71:bc:79:01:80 brd ff:ff:ff:ff:ff:ff 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 70:71:bc:79:01:80 brd ff:ff:ff:ff:ff:ff inet 192.168.5.2/24 brd 192.168.5.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::7271:bcff:fe72:12e8/64 scope link valid_lft forever preferred_lft forever 4: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 52:54:00:0d:23:c3 brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1 valid_lft forever preferred_lft forever 5: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN group default qlen 500 link/ether 52:54:00:0d:23:c3 brd ff:ff:ff:ff:ff:ff # ip route show default via 192.168.5.1 dev br0 unreachable 10.0.0.0/8 scope host unreachable 172.16.0.0/12 scope host 192.168.100.0/24 dev virbr1 proto kernel scope link src 192.168.100.1 192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.2 # ip -6 route show fe80::/64 dev br0 proto kernel metric 256 # ping -c3 www.heise.de PING www.heise.de (193.99.144.85) 56(84) bytes of data. 64 bytes from www.heise.de (193.99.144.85): icmp_seq=1 ttl=249 time=33.3 ms 64 bytes from www.heise.de (193.99.144.85): icmp_seq=2 ttl=249 time=33.1 ms 64 bytes from www.heise.de (193.99.144.85): icmp_seq=3 ttl=249 time=30.5 ms --- www.heise.de ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 30.515/32.334/33.309/1.295 ms # ping6 -c3 www.heise.de connect: Network is unreachable Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
Per Jessen wrote:
Björn, on your machine where you have the unwanted IPv6 connection attempts, what does your network look like? Please post output:
ip addr show ip route show ip -6 route show
ping www.heise.de ping6 www.heise.de
Ok, this is the output of the commands:
# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether 70:71:bc:79:01:80 brd ff:ff:ff:ff:ff:ff 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 70:71:bc:79:01:80 brd ff:ff:ff:ff:ff:ff inet 192.168.5.2/24 brd 192.168.5.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::7271:bcff:fe72:12e8/64 scope link valid_lft forever preferred_lft forever [snip] # ip route show default via 192.168.5.1 dev br0 unreachable 10.0.0.0/8 scope host unreachable 172.16.0.0/12 scope host 192.168.100.0/24 dev virbr1 proto kernel scope link src 192.168.100.1 192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.2
# ip -6 route show fe80::/64 dev br0 proto kernel metric 256
# ping -c3 www.heise.de PING www.heise.de (193.99.144.85) 56(84) bytes of data. 64 bytes from www.heise.de (193.99.144.85): icmp_seq=1 ttl=249 time=33.3 ms 64 bytes from www.heise.de (193.99.144.85): icmp_seq=2 ttl=249 time=33.1 ms 64 bytes from www.heise.de (193.99.144.85): icmp_seq=3 ttl=249 time=30.5 ms
--- www.heise.de ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 30.515/32.334/33.309/1.295 ms
# ping6 -c3 www.heise.de connect: Network is unreachable
Nothing wrong with any of this, afaict. On your apache system, perhaps try retrieving URLs with wget and see what happens. On my 13.2 systems, wget will choose ipv4 when there's no ipv6. If you have the default gai.conf, and you have ipv4 connectivity, there is no reason for apache to attempt to use ipv6. -- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Nothing wrong with any of this, afaict. On your apache system, perhaps try retrieving URLs with wget and see what happens. On my 13.2 systems, wget will choose ipv4 when there's no ipv6.
If you have the default gai.conf, and you have ipv4 connectivity, there is no reason for apache to attempt to use ipv6. OK. I had to change the router firmware because of issues with the OpenWRT 10.03.1 firmware. So probably, the IPv6 issue goes away with
Per Jessen wrote: the OpenWRT 10.03.1 firmware. Probably the issue was, that dnsmasq from OpenWRT 10.03.1 changed the sorting of A (IPv4) and AAAA (IPv6) DNS replies. And if Apache gets the AAAA first and then A, it will probably try to connect the AAAA address first. If my Linux box answers this immediately with "Network is unreachable" (see routing table with no IPv6 default route), Apache continues with IPv4 milliseconds later. If both A and AAAA addresses can't connect, Apache will log one or both of the addresses. And IPv6 addresses in logs confuse the users, if there is no IPv6 connectivity. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
OK. I had to change the router firmware because of issues with the OpenWRT 10.03.1 firmware. So probably, the IPv6 issue goes away with the OpenWRT 10.03.1 firmware.
Probably the issue was, that dnsmasq from OpenWRT 10.03.1 changed the sorting of A (IPv4) and AAAA (IPv6) DNS replies. And if Apache gets the AAAA first and then A, it will probably try to connect the AAAA address first.
Yes I think that's correct. With "wget", the order of the addresses for "www.heise.de" does change depending on whether the client system has ipv6 or not. /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Bjoern Voigt wrote:
OK. I had to change the router firmware because of issues with the OpenWRT 10.03.1 firmware. So probably, the IPv6 issue goes away with the OpenWRT 10.03.1 firmware.
Probably the issue was, that dnsmasq from OpenWRT 10.03.1 changed the sorting of A (IPv4) and AAAA (IPv6) DNS replies. And if Apache gets the AAAA first and then A, it will probably try to connect the AAAA address first.
Yes I think that's correct. With "wget", the order of the addresses for "www.heise.de" does change depending on whether the client system has ipv6 or not. This raises the question how exactly an application detects weather a Linux system "has ipv6 or not".
I think, standard openSUSE installations activate IPv4 and IPv6 on all interfaces. Network cards need to find a RADVD or DHCPv6 server in order to get a valid IPv6 configuration. Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
Per Jessen wrote:
Bjoern Voigt wrote:
OK. I had to change the router firmware because of issues with the OpenWRT 10.03.1 firmware. So probably, the IPv6 issue goes away with the OpenWRT 10.03.1 firmware.
Probably the issue was, that dnsmasq from OpenWRT 10.03.1 changed the sorting of A (IPv4) and AAAA (IPv6) DNS replies. And if Apache gets the AAAA first and then A, it will probably try to connect the AAAA address first.
Yes I think that's correct. With "wget", the order of the addresses for "www.heise.de" does change depending on whether the client system has ipv6 or not. This raises the question how exactly an application detects weather a Linux system "has ipv6 or not".
Yes, I was thinking about that too. I don't think it's up to the application though, I'm sure it's in the name resolution, i.e. getaddrinfo() and therefore controlled by gai.conf. An IPv6-aware application would use getaddrinfo() with AF_UNSPEC to get both addresses, but the ordering is determined by getaddrinfo().
I think, standard openSUSE installations activate IPv4 and IPv6 on all interfaces.
Yes that is the default.
Network cards need to find a RADVD or DHCPv6 server in order to get a valid IPv6 configuration.
Or have a static config.
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity.
Definitely correct.
Also a temporary situation may change from time to time.
Absolutely - it's easily done with RADVD. Add/remove a client link-local address to/from the clients{} section of radvd.conf, then the client will be with or without IPv6. -- Per Jessen, Zürich (16.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely. Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network. Or having the DNS not answering with Ipv6 addresses, even if it finds them. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYSfewACgkQja8UbcUWM1x0wQD+KrlNch3Xlw2CBGjNz4jhxTKC i1j1J/ZmI3X6T4dZOmEBAJsURJE4PicaD4xKzvIM5GAY75hd9EXpPkP0WyeU5JKs =tc7M -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 5, 2015 at 4:41 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network. Or
Same for IPv4. How can you determine that system has (no) global connectivity? Windows attempts to reach some well known hosts (that is what indicator in tray is based on); but in any case it is just advisory, it does not change actual program behavior. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-05 15:53, Andrei Borzenkov wrote:
Same for IPv4. How can you determine that system has (no) global connectivity? Windows attempts to reach some well known hosts (that is what indicator in tray is based on); but in any case it is just advisory, it does not change actual program behavior.
SuSE pinged suse.de ;-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYSg7kACgkQja8UbcUWM1xvTwD/Y4eaY80n4dVkDaDNpi2uogmk vGQ5BN8U2s+PiXqAQwoA/3hWDksYw8qQE+NydA1xari2iuCUwDprp9Nn3RPbbG3G =clZi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network.
"ipv6 internet" and "ipv6 local network" are concepts you apply (e.g. by different address ranges), but the network stack does not know about it. Same as for IPv4. (ignoring RFC1918).
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server. -- Per Jessen, Zürich (16.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-06 10:45, Per Jessen wrote:
Carlos E. R. wrote:
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server.
That's fine with me :-)) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYTtbcACgkQja8UbcUWM1zQaQD/X34vF14v2S4iDzWPs7acOnbs 0c1qpqChO56Oyc0OzIsBAI1rJED/5KJYlzYoVxJeEM0CVQqhoAJQ8rfZuIRiMGsi =GI8F -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 6 Oct 2015 10:45, Per Jessen <per@...> wrote:
Carlos E. R. wrote:
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network.
"ipv6 internet" and "ipv6 local network" are concepts you apply (e.g. by different address ranges), but the network stack does not know about it. Same as for IPv4. (ignoring RFC1918).
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server.
Oh, yes that would be ugly and introducing timeouts. Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations. Been there, done that, wasted a day, got ugly feedback from customer until the above mentioned solution was implemented. For the Mozilla products, adding the following line to the prefs.js helps: user_pref("network.dns.disableIPv6", true); - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-06 16:41, Yamaban wrote:
Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations.
Can it be done? I mean, configure bind or dnsmasq to do that?
For the Mozilla products, adding the following line to the prefs.js helps: user_pref("network.dns.disableIPv6", true);
Noted, thanks. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYT5EQACgkQja8UbcUWM1z2JwEAlDZRbjPU45DgN/iIeDPj14k0 JmKDQaRXnMLZaHjdHXoA/R/V2eX924n35wYbhk+w3n7gv1YoNLUzQS64aWrWyxC3 =r5F9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 6 Oct 2015 17:09, Carlos E. R. <robin.listas@...> wrote:
On 2015-10-06 16:41, Yamaban wrote:
Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations.
Can it be done? I mean, configure bind or dnsmasq to do that?
At the time (late 2014) the easiest solution was patching and rebuilding dnsmasq. Install sourcerpm, add patch-file, modify spec-file, rpmbuild ... Sorry, my exemplar of the patch got lost in the last hdd crash in march. (In AAAA handler answer with NXDOMAIN instead of sending lookup) - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Yamaban wrote:
On Tue, 6 Oct 2015 10:45, Per Jessen <per@...> wrote:
Carlos E. R. wrote:
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network.
"ipv6 internet" and "ipv6 local network" are concepts you apply (e.g. by different address ranges), but the network stack does not know about it. Same as for IPv4. (ignoring RFC1918).
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server.
Oh, yes that would be ugly and introducing timeouts.
Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations.
Uh no - if your application wants an AAAA address, it is not up to the nameserver to say "well, you can't have it". IMHO. -- Per Jessen, Zürich (14.0°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 6 Oct 2015 23:20, Per Jessen <per@...> wrote:
Yamaban wrote:
On Tue, 6 Oct 2015 10:45, Per Jessen <per@...> wrote:
Carlos E. R. wrote:
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network.
"ipv6 internet" and "ipv6 local network" are concepts you apply (e.g. by different address ranges), but the network stack does not know about it. Same as for IPv4. (ignoring RFC1918).
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server.
Oh, yes that would be ugly and introducing timeouts.
Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations.
Uh no - if your application wants an AAAA address, it is not up to the nameserver to say "well, you can't have it". IMHO.
Yes, and No. Such a solution has its place, esp. if your ISP makes working native ipv6 configuration impossible. (Hello, Vodafone) A answr of NXDOMAIN can be cached, while a no-responce will be repeated for EVERY future dns request, and running into time-out EVERY time. Your customers will be deliriuosly happy with a 30-60sec. timeout for every DNS request in their applications. You can feel the hate wafting of. A dns-server / dns-repeater should provide the possiblity to configure such a "no-valid-ipv6", or at least "no-valid-non-local-ipv6" response, even better if also the other way round, "ipv4-only-as-mapped-ipv6" is possible to configure. In an ideal world such crutches would not be needed, but, hello reality. IMHO a clear answer (NXDOMAIN) is better than blocking / dropping / ignoring a "AAAA" request. Less timeouts, and a defined behaviour. - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-06 23:48, Yamaban wrote:
In an ideal world such crutches would not be needed, but, hello reality.
IMHO a clear answer (NXDOMAIN) is better than blocking / dropping / ignoring a "AAAA" request. Less timeouts, and a defined behaviour.
Not bad :-) Unfortunately, if one wants it, one has to code it and build it. Not a config option :-( - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYUexwACgkQja8UbcUWM1ztPQD/fydWj5JQ2DlXfPYUUQXATr3l xEH1BOXP3VKrskow3xoBAJ4zIgI44dVmNQIXbIh8VEDd+/DuOyuqh19DeLP/AuDQ =kvNH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Yamaban wrote:
On Tue, 6 Oct 2015 23:20, Per Jessen <per@...> wrote:
Yamaban wrote:
On Tue, 6 Oct 2015 10:45, Per Jessen <per@...> wrote:
Carlos E. R. wrote:
On 2015-10-05 13:07, Bjoern Voigt wrote:
Having a running RADVD or DHCPv6 server on the router or somewhere else in the LAN does not necessary mean, that the Internet provider offers IPv6 connectivity. Also a temporary situation may change from time to time.
Yes, that is the issue precisely.
Apparently it is not possible a solution like letting the system know it should not use IPv6 on internet, only on the local network.
"ipv6 internet" and "ipv6 local network" are concepts you apply (e.g. by different address ranges), but the network stack does not know about it. Same as for IPv4. (ignoring RFC1918).
Or having the DNS not answering with Ipv6 addresses, even if it finds them.
A DNS server that does not respond to AAAA queries is not really a DNS server.
Oh, yes that would be ugly and introducing timeouts.
Correct would be a answer of "NXDOMAIN" on all AAAA queries for "noipv6" or "onlyipv4" configurations.
Uh no - if your application wants an AAAA address, it is not up to the nameserver to say "well, you can't have it". IMHO.
Yes, and No.
Such a solution has its place, esp. if your ISP makes working native ipv6 configuration impossible. (Hello, Vodafone)
A answr of NXDOMAIN can be cached, while a no-responce will be repeated for EVERY future dns request, and running into time-out EVERY time. Your customers will be deliriuosly happy with a 30-60sec. timeout for every DNS request in their applications. You can feel the hate wafting of.
A dns-server / dns-repeater should provide the possiblity to configure such a "no-valid-ipv6", or at least "no-valid-non-local-ipv6" response, even better if also the other way round, "ipv4-only-as-mapped-ipv6" is possible to configure.
In an ideal world such crutches would not be needed, but, hello reality.
IMHO a clear answer (NXDOMAIN) is better than blocking / dropping / ignoring a "AAAA" request. Less timeouts, and a defined behaviour.
I guess I don't quite appreciate when this would be required, but yes, any clear answer is better than no answer, absolutely. Still, it doesn't seem to me to be a job for the nameserver to determine what is good for the application or not. -- Per Jessen, Zürich (15.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-10-07 15:51, Per Jessen wrote:
Yamaban wrote:
IMHO a clear answer (NXDOMAIN) is better than blocking / dropping / ignoring a "AAAA" request. Less timeouts, and a defined behaviour.
I guess I don't quite appreciate when this would be required, but yes, any clear answer is better than no answer, absolutely. Still, it doesn't seem to me to be a job for the nameserver to determine what is good for the application or not.
Well, it is a convenient hack, in the hands of the administrator :-) Yes, we could configure on each application that supports it to use only IPv6, but many do not have it. The available "hack" when everything else fails (using gai.conf, etc) we use is disable IPv6 support via kernel switch, systemwide. It is not possible to allow IPv6 on the local netowrk and disable it on Internet (the use case is that the ISP doesn't provide it yet). Thus an interesting hack is that the DNS doesn't provide IPv6 answers, even when applications ask for it. Maybe another would be to route all external IPv6 connections to a dummy :-?? But this would produce timeouts and errors. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-10-07 15:51, Per Jessen wrote:
Yamaban wrote:
IMHO a clear answer (NXDOMAIN) is better than blocking / dropping / ignoring a "AAAA" request. Less timeouts, and a defined behaviour. I guess I don't quite appreciate when this would be required, but yes, any clear answer is better than no answer, absolutely. Still, it doesn't seem to me to be a job for the nameserver to determine what is good for the application or not. Well, it is a convenient hack, in the hands of the administrator :-)
Yes, we could configure on each application that supports it to use only IPv6, but many do not have it. The available "hack" when everything else fails (using gai.conf, etc) we use is disable IPv6 support via kernel switch, systemwide. One problem with gai.conf is, that this file will not be changed dynamically by DHCP. So mobile laptop users have to change it manually, if they change the network and if the IPv4/IPv6 connectivity changes.
To avoid IPv6 timeouts it can be a solution to add a "reject" default route for IPv6. What is the correct syntax for this? (In IPv4 I can add reject routes like this: "route add -net 172.16.0.0 netmask 255.240.0.0 reject" (rejects all traffic to the 172.168.0.0/255.240.0.0 network)) Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-07 18:18, Bjoern Voigt wrote:
One problem with gai.conf is, that this file will not be changed dynamically by DHCP. So mobile laptop users have to change it manually, if they change the network and if the IPv4/IPv6 connectivity changes.
Sorry, why would gai.conf need to be changed? :-? I know very little about that file. I only do this change: #precedence ::1/128 50 #precedence ::/0 40 #precedence 2002::/16 30 #precedence ::/96 20 #precedence ::ffff:0:0/96 10 # # For sites which prefer IPv4 connections change the last line to # precedence ::ffff:0:0/96 100 And since I did that, I don't remember problems.
To avoid IPv6 timeouts it can be a solution to add a "reject" default route for IPv6. What is the correct syntax for this?
(In IPv4 I can add reject routes like this: "route add -net 172.16.0.0 netmask 255.240.0.0 reject" (rejects all traffic to the 172.168.0.0/255.240.0.0 network))
I don't know. But it is interesting, too. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYVXPsACgkQja8UbcUWM1xJUAD9FLc/cMoNV/Erd2A3c5xJXSg8 p5rYHtIEz0H0a3VJaF0A/RmsJ6599qLGHB9pj7VjKKu9eESxrDba+9iF5FG/+79D =oZ8r -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
One problem with gai.conf is, that this file will not be changed dynamically by DHCP. So mobile laptop users have to change it manually, if they change the network and if the IPv4/IPv6 connectivity changes. Sorry, why would gai.conf need to be changed? :-? A laptop use may connect the laptop in Network1 with IPv6 and IPv4 enabled and later in Network2, where only IPv4 is available. For instance, the German Telekom offers IPv4/IPv6 connectivity for business and home users and some other providers currently only offer IPv4. A laptop user expects, that the laptop network configuration will be automatically adapted by DHCP when he switches
Carlos E. R. wrote: the network. Changing gai.conf is AFAIK not a standard feature of the Linux DHCP clients. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
One problem with gai.conf is, that this file will not be changed dynamically by DHCP. So mobile laptop users have to change it manually, if they change the network and if the IPv4/IPv6 connectivity changes. Sorry, why would gai.conf need to be changed? :-? A laptop use may connect the laptop in Network1 with IPv6 and IPv4 enabled and later in Network2, where only IPv4 is available. For instance, the German Telekom offers IPv4/IPv6 connectivity for business and home users and some other providers currently only offer IPv4. A laptop user expects, that the laptop network configuration will be automatically adapted by DHCP when he switches
Carlos E. R. wrote: the network. Changing gai.conf is AFAIK not a standard feature of the Linux DHCP clients.
But surely changing gai.conf would only be necessary in those faulty environments where IPv6 addresses are handed out, but where the IPv6 network otherwise doesn't work ? -- Per Jessen, Zürich (11.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-10-09 08:57, Per Jessen wrote:
Bjoern Voigt wrote:
Carlos E. R. wrote:
Sorry, why would gai.conf need to be changed? :-? A laptop use may connect the laptop in Network1 with IPv6 and IPv4 enabled and later in Network2, where only IPv4 is available. For instance, the German Telekom offers IPv4/IPv6 connectivity for business and home users and some other providers currently only offer IPv4. A laptop user expects, that the laptop network configuration will be automatically adapted by DHCP when he switches the network. Changing gai.conf is AFAIK not a standard feature of the Linux DHCP clients.
I see.
But surely changing gai.conf would only be necessary in those faulty environments where IPv6 addresses are handed out, but where the IPv6 network otherwise doesn't work ?
Well... I don't know what gai.conf is normally intended for, for I suppose that handling missing IPv6 is not the main one :-? - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlYXsxEACgkQja8UbcUWM1x01wD/fTTbHzqf5FNWm01UJCbz5d5C 5qWZZjZYoZYRuSph2iEA/RzjC467L+Eopkl/mGyXzncAsqZ6T4uOgZ5UADgeJxZl =CBn2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-10-09 08:57, Per Jessen wrote:
Bjoern Voigt wrote:
Carlos E. R. wrote:
Sorry, why would gai.conf need to be changed? :-? A laptop use may connect the laptop in Network1 with IPv6 and IPv4 enabled and later in Network2, where only IPv4 is available. For instance, the German Telekom offers IPv4/IPv6 connectivity for business and home users and some other providers currently only offer IPv4. A laptop user expects, that the laptop network configuration will be automatically adapted by DHCP when he switches the network. Changing gai.conf is AFAIK not a standard feature of the Linux DHCP clients.
I see.
But surely changing gai.conf would only be necessary in those faulty environments where IPv6 addresses are handed out, but where the IPv6 network otherwise doesn't work ?
Well... I don't know what gai.conf is normally intended for, for I suppose that handling missing IPv6 is not the main one :-?
gai.conf controls the behaviour of the getaddrinfo() call. From the man page: A call to getaddrinfo(3) might return multiple answers. According to RFC 3484 these answers must be sorted so that the answer with the highest success rate is first in the list. The RFC provides an algorithm for the sorting. The static rules are not always adequate, though. For this reason, the RFC also requires that system administrators should have the possibility to dynamically change the sorting. For the glibc implementation, this can be achieved with the /etc/gai.conf file. For me, the default gai.conf (empty) has always worked, but I've never been in the situation of a partially crippled ipv6 network. -- Per Jessen, Zürich (11.7°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
It is not possible to allow IPv6 on the local netowrk and disable it on Internet (the use case is that the ISP doesn't provide it yet).
Ah, now I understand the use case.
Thus an interesting hack is that the DNS doesn't provide IPv6 answers, even when applications ask for it.
And without having to change gai.conf on every system. Yes, I see it now. -- Per Jessen, Zürich (12.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 2015-10-02 at 09:53 +0200, Bjoern Voigt wrote:
How I can repair broken IPv6 setup or disable IPv6?
How about this? echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf Bill -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt composed on 2015-10-02 09:53 (UTC+0200):
How I can ... disable IPv6?
ipv6.disable=1 on kernel cmdline, works here. Also, I excise IPv6 entries info from /etc/hosts, but whether it matters I have no idea. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Adam Tauno Williams -
Andrei Borzenkov -
Bill Merriam -
Bjoern Voigt -
Carlos E. R. -
Felix Miata -
Per Jessen -
Yamaban