I have a synthetic setup just for certification; NS1.turnbridge.org. and NS3.turnbridge.org. with A,AAAA,MX and NS delegations for NS2.turnbridge.org - no machine, just a subdomain.
On the #3 in the Guru test I get the complaint that nameservers aren't accessible, however when I trace the nameservers, I clearly see a pair of v6 queries, one on each nameserver: (only one below, they're nearly identical).
---------------------------
client @0x7fed6817d120: udprecv
client 2001:470:0:64::2#34702: UDP request
client 2001:470:0:64::2#34702: request is not signed
client 2001:470:0:64::2#34702: recursion not available
client 2001:470:0:64::2#34702: query
client 2001:470:0:64::2#34702: query 'ns2.turnbridge.org/AAAA/IN' approved
client 2001:470:0:64::2#34702: send
client 2001:470:0:64::2#34702: sendto
client 2001:470:0:64::2#34702: senddone
client 2001:470:0:64::2#34702: next
client 2001:470:0:64::2#34702: endrequest
-----------------------------------------
2001:470:0:64::2 --
> 2001:470:0:64::2
Server: ns1.he.net
Address: 216.218.130.2
Name: ipv6.he.net
Address: 2001:470:0:64::2
-------------------------
I don't see any other requests; the two servers can and do talk ipv6 to each other with wild abandon, and clearly get requests from HE.
The only thing I can think of now, is that I have recursion turned off... but that seems like I'm grasping at straws.
What am I missing??
I've included the zone files, and named.conf below for reference.
Thanks
Mark F.
-----------
Guru
Congratulations, you are an IPv6 Professional! To complete the Guru Test you will need:
The Name Servers for ns2.turnbridge.org need to have a AAAA records
Those Name Servers need to respond to queries made via IPv6
[Reset Test]
Help Step Description Data
* 1 If you need to edit off any subdomains to make it work, please do so here:
* 2 Check to see that the nameservers associated with ns2.turnbridge.org have IPv6 AAAAs Success
* 3 Check to see that the nameservers associated with ns2.turnbridge.org are IPv6 accessible Couldn't query name server
-------------
The Turnbridge.org domain zone file:
$ORIGIN .
$TTL 3600 ; 1 hour
turnbridge.org IN SOA rackspace.fausett.us. root.rackspace.fausett.us. (
2011030307 ; serial
900 ; refresh (15 minutes)
300 ; retry (5 minutes)
604801 ; expire (1 week 1 second)
3600 ; minimum (1 hour)
)
$TTL 1800 ; 30 minutes
NS ns1.turnbridge.org.
NS ns3.turnbridge.org.
MX 10 ns1.turnbridge.org.
$ORIGIN turnbridge.org.
mtk AAAA 2001:470:8:b8b::1
ns1 A 50.56.81.117
MX 10 ns1
AAAA 2001:470:1f11:d04::1
ns2 NS ns1
NS ns3
$ORIGIN ns2.turnbridge.org.
ns1 A 50.56.81.117
AAAA 2001:470:1f11:d04::1
$ORIGIN turnbridge.org.
ns3 A 50.56.82.223
MX 10 ns1
AAAA 2001:470:1f11:d19::1
--------------
ns2.turnbridge.org.
--------------
$ORIGIN .
$TTL 3600 ; 1 hour
ns2.turnbridge.org IN SOA ns1.ns2.turnbridge.org. root.ns1.ns2.turnbridge.
org. (
2011030307 ; serial
900 ; refresh (15 minutes)
300 ; retry (5 minutes)
604801 ; expire (1 week 1 second)
3600 ; minimum (1 hour)
)
$TTL 1800 ; 30 minutes
NS ns1.turnbridge.org.
NS ns3.turnbridge.org.
$ORIGIN ns2.turnbridge.org.
ns1 A 50.56.81.117
MX 10 ns1.turnbridge.org.
AAAA 2001:470:1f11:d04::1
------------------
named.conf
------------------
options {
listen-on port 53 { 127.0.0.1; 50.56.82.223; };
listen-on-v6 port 53 { ::1; 2001:470:1f11:d19::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "turnbridge.org" {
type slave;
file "/var/named/data/turnbridge.org";
masters { 50.56.81.117; };
};
zone "ns2.turnbridge.org" {
type slave;
file "/var/named/data/ns2.turnbridge.org";
masters { 50.56.81.117; 2001:470:1f11:d04::1; };
};
Missing glue and nameserver for "ns3.ns2.turnbridge.org."
I think I've fixed these, but still failing #3.
I can't quite figure out what's being tested in the Guru test; I see fetches of the AAAA records, via V6, then nothing;
Could I get a hint on what queries are being performed, so that i can test and debug the name server to remediate, rather than reverse engineering the test by trial and error?
thanks!
mf
ARGH; you *require* an address record for the domain itself.
I've got it now; the videos referenced in the FAQ helped. But something referencing what failed in the test would have saved a lot of time.
Thanks,
mf