DNS: Root hint server 2001:500:1::803f:235 must respond to NS queries for the root zone
We are using IPv4 in our company. Our ISP does not provide IPv6 and this won't change in the next years.
The Best Practices Analyzer (BPA) of our Server 2012 R2 DNS server warns about the IPv6 DNS root hints not responding to the DNS server’s queries. Of course, as we do not have an IPv6 internet access.
I see two solutions:
Ignore the warnings. As long as this does not have an impact on the speed of DNS resolutions. (Something like clients trying IPv6 first, waiting for a timeout and then trying an IPv4 name resolution.)
Remove the IPv6 addressse from the root hints and add them back if we get IPv6 in the future.
Any other solutions? What should I prefer?
That nameserver does respond to NS queries for the root zone. I just tried it. The fact that Windows is trying to contact it suggests that the operating system thinks it has IPv6 connectivity. Ensure that you haven't got any IPv6 transition technologies enabled, specifically ISATAP, Teredo, or 6to4.
First of all you are going to need IPv6 in a few years. Based on statistics published by Google my best guess as to when IPv6 adoption will cross the 50% mark is 3 years from now.
Any IPv6 related problem a system administrator is facing needs to be solved, not hidden and ignored. If you take the approach of making changes now that solve your immediate problem but will be getting in the way of upgrading to IPv6 later, then you are setting yourself up for a disaster in a few years when you can no longer remember all the temporary workarounds you applied. Moreover rolling back loads of temporary workarounds and finding real solutions to all of them within a short timeframe will be problematic.
It is perfectly fine to make changes, that don't move you towards running IPv6, as long as you don't make changes, that are moving you away from it.
Running an IPv4-only DNS server with root hints containing both IPv4 and IPv6 addresses is supposed to be a valid configuration. A DNS server is supposed to be able to figure out which of the addresses can be used, and which cannot.
I'm guessing the analyzer you have been running is a bit too verbose for your scenario.
I wouldn't consider removing the IPv6 addresses from the root hints to be an advisable step. If you want the warning to go away, something else need to be done. The other option I can think of would be to get dual stack on the DNS server.
There is also the possibility that the analyzer has detected a real configuration problem in your setup, but that it just doesn't communicate clearly enough what it has found. Documentation about what the analyzer is testing and why could be useful in figuring out if this is the case.
The answer by Michael Hampton have a few suggestions about what configuration problem might have triggered the warning.