Problem is caused by someone or some committee deciding that "gosh darn it! we can make ipv6 adoption go much faster if we bug the hell out of the ipv4 only network admins".
So they did......
On latest versions of RHEL, not only do you get ipv6 enabled by default, all dns requests go to ipv6 first, even if think you have told server it should process ipv4 only That means that if a particular domain has a large set of nameservers, it is possible in certain circumstances for your critical app which is trying to get a simple ipv4 ip will end up waiting while each nameserver is checked one by one for an ipv6 response.....which can take a really really looooooooong time.
Step 1: verifying what is going on -- use dig to query the nameservers directly for AAAA responses (if all the nameservers are responding refused), you got a candidate.
example: dig api-read.facebook.com/AAAA/IN @glb01.sf2p.tfbnw.net
Step 2: use "getent ahostsv4 hostname" and "getent ahostsv6 hostname" to confirm it is the ipv6 queries that are causing the problem.
You may also see something like the following in named (even though you have forwarding disabled):
named[2837]: FORMERR resolving 'api-read.facebook.com/AAAA/IN': 69.63.176.101#53
Step 3: redhat does provide a few solutions here (thankfully), but it is not as straightforward as it should be.
I assume you already have NETWORKING_IPV6=no in /etc/sysconfig/network.
You may even have been smart and put the following /etc/modprobe.conf:
alias net-pf-10 off
alias ipv6 off
And, of course, you've turned off all ipv6 daemons including iptables6.
No, that is not enough, it is very easy for ipv6 to be forced to load, especially in RHEL 5.5. You probably also need to create the file /etc/sysconfig/disable-ipv6 with the contents:
options ipv6 disable=1
step 4: pretend you're running a windows box that needs its daily reboot, go ahead.
When system comes back up, do lsmod | grep ipv6 ..and the ipv6 module should not be loaded.
Run getent ahosts hostname and see ipv4 only results come up very fast.
If you're still seeing problems, review lsmod to see what is forcing ipv6 to load and you may need to perform magic on your dns servers too -- such as adding to /etc/named.conf:
listen-on-v6 { none; };
Adding "-4" to the options field in /etc/sysconfig/named.
Restart named.
Performing steps above to kill ipv6 completely on the local resolving dns servers.
Note: RedHat has their own technote about the problem here at: http://kbase.redhat.com/faq/docs/DOC-17904 .
I suspect this is more specific to RHEL 5.4 than 5.5 RHEL 5.5 does seem to do the right thing when you go through the numerous hoops to disable the ipv6 module.
So they did......
On latest versions of RHEL, not only do you get ipv6 enabled by default, all dns requests go to ipv6 first, even if think you have told server it should process ipv4 only That means that if a particular domain has a large set of nameservers, it is possible in certain circumstances for your critical app which is trying to get a simple ipv4 ip will end up waiting while each nameserver is checked one by one for an ipv6 response.....which can take a really really looooooooong time.
Step 1: verifying what is going on -- use dig to query the nameservers directly for AAAA responses (if all the nameservers are responding refused), you got a candidate.
example: dig api-read.facebook.com/AAAA/IN @glb01.sf2p.tfbnw.net
Step 2: use "getent ahostsv4 hostname" and "getent ahostsv6 hostname" to confirm it is the ipv6 queries that are causing the problem.
You may also see something like the following in named (even though you have forwarding disabled):
named[2837]: FORMERR resolving 'api-read.facebook.com/AAAA/IN': 69.63.176.101#53
Step 3: redhat does provide a few solutions here (thankfully), but it is not as straightforward as it should be.
I assume you already have NETWORKING_IPV6=no in /etc/sysconfig/network.
You may even have been smart and put the following /etc/modprobe.conf:
alias net-pf-10 off
alias ipv6 off
And, of course, you've turned off all ipv6 daemons including iptables6.
No, that is not enough, it is very easy for ipv6 to be forced to load, especially in RHEL 5.5. You probably also need to create the file /etc/sysconfig/disable-ipv6 with the contents:
options ipv6 disable=1
step 4: pretend you're running a windows box that needs its daily reboot, go ahead.
When system comes back up, do lsmod | grep ipv6 ..and the ipv6 module should not be loaded.
Run getent ahosts hostname and see ipv4 only results come up very fast.
If you're still seeing problems, review lsmod to see what is forcing ipv6 to load and you may need to perform magic on your dns servers too -- such as adding to /etc/named.conf:
listen-on-v6 { none; };
Adding "-4" to the options field in /etc/sysconfig/named.
Restart named.
Performing steps above to kill ipv6 completely on the local resolving dns servers.
Note: RedHat has their own technote about the problem here at: http://kbase.redhat.com/faq/docs/DOC-17904 .
I suspect this is more specific to RHEL 5.4 than 5.5 RHEL 5.5 does seem to do the right thing when you go through the numerous hoops to disable the ipv6 module.
Recent Comments