[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] kernel IPv6 changes affecting DNS?



I seem to have strange problems that are related to the ipv6 module
being enabled. Behaviour seems (so far at least) to differ between
kernel versions: k_deflt-2.4.19-74 and k_deflt-2.4.19-340.

The problem is seen as slow startup of certain networked
Java applications using JBoss services. I traced the issue
to failing DNS replies, i.e. timeouts but the problem was that
there was DNS AAAA queries (IPv6 related) going on. And
the server was unable to answer these - as it is serving IPv4.
Having found that out using ethereal I checked from web and
found out that disabling the IPv6 module via
/etc/modules.conf drops off IPv6 stuff and might help - actually
did help.

However, I checked with an older version of the kernel - and
probably some other stuff as well - and the whole thing seems
to work OK there, with IPv6 module.

Is there some explanation I have missed? Is this behaviour
correct now, or was it earlier? Does this affect performance
and possibly security due extra delays with DNS timeouts?

	Is the correct solution to disable the module via:
# alias net-pf-10 ipv6 (in /etc/modules.conf)
or is there better ways of dealing with this? It has quite a
big hit on the application since the "normal" startup time
is in the range of 0.7 seconds and these DNS timeouted
AAAA queries push it somewhere between 15 and 20 seconds!

	br,

	timo


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here