On Thu, 29 Apr 2010 13:58:07 +0200, "Christian 'wiwi' Wittenhorst" wiwi@progon.net said:
Solution: Routing to 138.190.0.0/16 was broken (blackholed at upstream), so both (dns[12].swisscom.com) were not reachable.
Ok, but I'd still say that you have a problem with your IPv6 connectivity.
I will have to spend some time on the inner workings of dig...
Yes. Think about it. If you do a "dig swisscom.ch. ns @a.nic.ch", you're only asking, well, a.nic.ch. The Swisscom name servers are not involved at all. Therefore, your issue with 138.190.0.0/16 has *nothing* to do with the problems you've described in your first message (but everything with your customer's problem :)
So, let me elaborate a bit on your dig output.
On Thu, 29 Apr 2010 10:50:17 +0200, "Christian 'wiwi' Wittenhorst" wiwi@progon.net said:
(820)[root@svn /tmp]# sh ch dig swisscom.ch ns @A.nic.ch ;; Got referral reply from 130.59.1.80, trying next server
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> swisscom.ch ns @A.nic.ch ;; global options: printcmd ;; connection timed out; no servers could be reached
dig swisscom.ch ns @B.nic.ch ;; Got referral reply from 130.59.211.10, trying next server
This is not standard behaviour of dig. It appears that RedHat has applied a patch that makes dig skip to the next server in its search list if it encounters a referral, which is totally bogus. In particular, it appears to only be in effect if the search list contains multiple entries (otherwise, it wouldn't display anything in the IPv4-only case either). Please use a regular version of dig for diagnostics.
It also appears that your dig is not strictly preferring IPv6 over IPv4. That's why, for dual-stacked servers, you sometimes see the "Got referral reply" message (IPv4 first then IPv6, which then times out) and sometimes "connection timed out". In the latter case, the initial IPv6 query will time out. There should be a retry with IPv4, which should actually succeed, but maybe the RedHat patch breaks this, too (the result is still a referral, of course; maybe because the stupid patch even has a bug when the search list has more than one entry and falls off the end of the list).