Hmmm, was thinking to perhaps take this else-list (it's more general that "just" BALUG administrivia) ... but I'll probably put a mention/pointer on the "talk" list a bit later, as there's mix of BALUG administrivia stuff ... and also some Linux tech stuff that may be of more general interest, among several of these BALUG-Admin list postings.
Anyway, my comment/reply bits in-line below.
From: "Rick Moen" rick@linuxmafia.com Subject: Re: [BALUG-Admin] DNS slaves for BALUG? :-) ... IPv6 issue somewhere between master and slaves? Date: Sat, 20 Feb 2016 19:59:11 -0800
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
Quite likely it's lack of IPv6 or some other IPv6 issue on slave end(s)....
Quite so.
I have a very vague recollection of (possibly) having deliberately disabled IPv6 in the system network stack -- on the excellent grounds that I'm making no use of it, and network functions you're not using should be disabled as part of a comprehensive security policy.
Yes, IPv6 can be quite disabled on Linux operating systems, if one so chooses. In what bit I observed (have a post to put up in response to my earlier posting), doesn't look like IPv6 was disabled on linuxmafia.com - nor is it explicitly enabled. That gives one relatively default, dual stack, have link-local IPv6 (can talk to other IPv6 on same subnet/LAN), but no routable IPv6 - a semi-reasonable default compromise between absolute security and absolute convenience. If even more fully default (and possibly also newer), it might auto-configure for routable IPv6 - if that were offered by resources on the network - but I'm guestimating that wouldn't apply to linuxmafia.com., as it's more generally configured for static IP(s) on physical interfaces - so likely nothing there set/configured to auto-configure ... beyond possibly the non-routable link-local.
Short of totally disabling IPv6, a step that might be more useful - instead totally disable IPv6 on any and all physical interfaces, but leave the IPv6 stack in place. Two specific advantages I think of for that - in addition to giving most of the security benefits of totally disabling IPv6. Fair bit more convenience - much software these days, and especially for Linux, will presume the host is dual-stack - even if it doesn't have any IPv6 Internet routable connectivity (or ditto for IPv4). Much such software will malfunction if installed/used - at least with its default configuration, if the host doesn't even have IPv6 stack enabled - at least until one reconfigures such software to completely and totally not use IPv6 at all. Another advantage of not disabling the IPv6 stack totally - future-testing and development, etc. E.g. one could do purely local testing of IPv6 - including also (if/when applicable) between virtual machine and physical host. That could be advantageous in developing/testing IPv6 before rolling it out "for real" to Internet accessible routable usage of IPv6.
FWIW, I cannot find where I did that (if I did that). I find nothing in /etc/sysctl.conf (there being nothing in /etc/sysctl.d/ , and nothing in /etc/modprobe.d/aliases.conf .
Yes ... I think (if I recall correctly) in newer kernels, IPv6 may no longer be a module? - but I'm not certain about that (reminds me of another point on modules - but for another posting and list/thread). In any case, through the /proc filesystem (or /sys?) and /etc/sysctl.conf or the like, one can, among other things, disable IPv6, including totally and completely, or on per-interface basis. I'm not sure, but there may also be means/options, to have it default to being disabled, yet then allow it to be enabled on a per-interface basis. And keep in mind interfaces may be physical, or virtual (e.g. loopback interface, interfaces between physical and virtual machines, etc.)
Actually, /etc/modprobe.d/aliases.conf.dpkg-old has 'alias net-pf-10 off' , but /etc/modprobe.d/aliases.conf does not.
If it turns out that this is an IPv6 issue on slave end, then I'd suggest leaving it until my linuxmafia.com rebuild.
Yep, probably mostly easier to not muck about with IPv6 on linuxmafia.com until it's more current on the operating system software version updates (e.g. to state that's both well supported on security updates and also will continue to be supported for many months or more to come).
I'm frankly, really not sold on the utility of IPv6 for the linuxmafia.com host at this time. There are no relevant use-cases for which it's required. Therefore, I might _even_ deliberately disable it on the rebuilt host (whether it is on the current host or not).
Context. :-) Yes, I agree, I see no requirement or (pressing?) need for IPv6 on linuxmafia.com. The answer to same question may be at least somewhat different in 6 months, a year, 2 years, 5 years, ... but I see no rush or pressing need to bring IPv6 to linuxmafia.com.
That is, I tend to strongly concur with the standard advice that if you aren't using a network service, you should shut it off. IPv6 is a network service (in effect, or an additional flavour of existing services). As http://www.esecurityplanet.com/security-how-to/Linux-Hardening---Quick-Wins-... puts it:
Disable IPv6: Unless you know that you need it, disabling IPv6 is a good idea as it is hard to monitor, making it attractive for hackers, and it's also hard to spot security vulnerabilities in the protocol.
Well, I think I'd be inclined to temper and update a statement like that. While still quite true about "unneeded network services", A) IPv6 is increasingly in use - "needed" may be just a matter of time B) "hard to monitor" and such - I think many/most of those objections can probably be dispensed with at this time. I don't think monitoring IPv6 is really any harder than doing likewise for IPv4 ... but yes, sure, it is "one more thing" to monitor, etc. "Of course" some day, getting rid of "one more thing" to monitor, may well entail turning off IPv4. ;-> ... but that day is still some fair ways off yet (guestimating maybe about a decade or so?)
Random: already encountering some environments that are mandating IPv6 only - at least for anything at/to/beyond physical interface and possibly also link-local. Of course one is likely also aware, getting Internet routable IPv4 addresses is becoming increasingly difficult/costly. I'll also mention that NAT/SNAT tends to complicate a lot of things (like troubleshooting, and security and related accountability) - with IPv6 one mostly can kiss NAT/SNAT goodbye.