Thursday, 3 April 2008

I'm very proud

to announce that IPv6 has affected me, in actual real life.

We run a moodle server. It's pretty important. We run it in a DMZ, and it's protected by a commercial firewall product. It's running on Ubuntu Gutsy server, and we spent Monday and Tuesday upgrading all 30-odd instances from moodle 1.72 to moodle 1.9 . This went very well and proved very easy.

We also did a whole bunch of ubuntu package upgrades, which cowardice had caused me to shy away from till now. I mean, how comfortable would you be if aptitude upgrade told you the kernel would be removed?

Aaanyway, we did it, and it all worked. Except now, it was dog slow. Like 40 seconds to return a page. So, off I went on the now familiar hunt for the wotdidIdowrongthistime bird.

I'd noticed a long pause at the start of every aptitude download, and there was the clue. I ran a sniffer on the moodle box, and it's name server. And there was the problem.

Each time the moodle box needed name service, it would send four DNS requests for AAAA records, which the nameserver just never saw. Then the moodle box gave up waiting, and tried for an A record, which the nameserver saw and responded to, and on we go.

Turns out that our firewall didn't want to pass AAAA requests, or the ubuntu box was sending them up it's own bum or somewhere else sub-optimal. After a few minutes googling and wincing at the ubuntu forums, the answer turned out to be this:

in /etc/modprobe.d/, create bad_file with the line alias net-pf-10 off.

And all is happy again. S'pose I ought to be talking to firewall vendors soon...

No comments: