Hurricane Electric's IPv6 Tunnel Broker Forums

I've come to the conclusion that since IPv6 glue requires the registrar to add AAAA records for NS record names on the TLD server(s), getting past the IPv6 Sage test with a domain hosted on afraid.org is impossible. 

Servers ns*.afraid.org don't have any AAAA records and therefore the guru test query will never succeed. 

Am I correct in this sum-up? 

I'm referencing this thread to support my conclusion.
http://www.tunnelbroker.net/forums/index.php?topic=274.msg1402#msg1402

As such, an IPv6 Sage certification requires purchasing one's own domain from a registrar that provides IPv6 glue, or working with an existing domain environment setup with IPv6. 


thanks

Or moving the domain to a registrar that supports IPv6 glue, you can find a list in the FAQ section of http://www.sixxs.net

I used www.editdns.net.

The service at freedns.afraid.org is NOT a domain registration service.  It is DNS.  These are separate things.

You are correct that since the DNS servers at afraid.org don't have IPv6 addresses, they cannot be used with the test.  However, they will serve IPv6 glue records.  Your conclusion is correct but the logic you used to arrive at the conclusion is faulty.

Well, not quite. afraid.org cannot serve glue records, since it is not a registry. It can serve host records for name servers, yes. "A glue record is the IP address of a name server held at the domain name registry." See also http://faq.domainmonster.com/dns/glue_record/

More to the point, afraid.org can serve NS records, which lets you use your own out-of-bailiwick name server for one of the afraid.org subdomains. You can get through "Guru" with a combination of afraid.org, v6ns.org and a BIND server (or indeed powerdns) running on your local v6-enabled network.

To get "Sage", you need your own domain from a registrar that can set ipv6 glue with the registry. I used gkg - they support v6 glue right there in the web interface, which made it quite easy to set up. Alternatively, you can have someone who has their own domain with glue for their server set up a zone for you; that will work just as well.

This should also work if you started out with an afraid.org subdomain, by setting your new and shiny glue-enabled NS as an out-of-bailiwick NS on your afraid.org subdomain.

afaik, none of the free DNS services have ipv6-enabled name servers, never mind ipv6-enabled name servers with ipv6 glue. At least I was not able to find any. Hence the need to run your own server, or give a friend a beer and use his.

You forget about freedns.afraid.org's ability to register subzones under zones it already hosts.  Those may have glue records.

Quote from: snarked on August 07, 2009, 11:23:28 AM
You forget about freedns.afraid.org's ability to register subzones under zones it already hosts.  Those may have glue records.

You'd think so - but their glue is moot, unless you can use their name servers too. Which would bring us back to the "beer" scenario.

Take a look at a glue service set up specifically for the Guru test: ns0.nic.v6ns.org has glue; that doesn't mean that ns1.sub.v6ns.org has glue. I can say with utter conviction (because I tried it) that you do need glue on your own NS to pass Sage, not just on the NS for the domain hosting your subdomain. To re-state, that means an AAAA entry at the registry of the TLD of your NS's FQDN.

you're right yorick,
unless afraid.org can serve NS records, which lets us use our own out-of-bailiwick name server(with ipv6 glue on tld registries) for one of the afraid.org subdomains.we cannot obtain sage using one of subdomain in afraid.org  :)

Quote from: leenoux on August 08, 2009, 03:56:36 AM
unless afraid.org can serve NS records, which lets us use our own out-of-bailiwick name server(with ipv6 glue on tld registries) for one of the afraid.org subdomains.

You are right, and they can. That's how I got sage without needing to reset the domain used for the tests. It doesn't buy you much - you still need an NS with glue that you control. It is a way to get to sage for the terminally stubborn - or you could mail ipv6@he.net, ask for a reset of your tests, and go with one of your own domains (with glue) from the very start.

I hate starting over, though. That's almost admitting defeat, that is.

The problem isn't that afraid.org can't serve IPv6 glue.  It can and does.
The problem is that afraid.org itself doesn't have IPv6 glue leading to its in-zone name servers.

Those are DIFFERENT issues.

Quote from: snarked on August 08, 2009, 04:35:55 PM
The problem isn't that afraid.org can't serve IPv6 glue.  It can and does.

It can't serve TLD glue records, which is what the Sage test looks for. I haven't found a way that it could serve more pedestrian non-TLD glue records, either, but that's neither here nor there for the sage test.

Put a more technical way: Say you have a .com domain at afraid.org - yorick.mooo.com, why not. And your nameserver is ns1.yorick.mooo.com. What the Sage test looks for is an answer to "dig ns1.yorick.mooo.com AAAA @a.gtld-servers.net", essentially - a AAAA record for your nameserver held at the registry for the TLD. That is TLD glue, and afraid.org certainly can't provide it. Not with AAAA nor with A.

A more "pedestrian" glue might be to set an NS record at afraid.org for yorick.mooo.com pointing to ns1.yorick.mooo.com, and then have an A (or AAAA) entry at the mooo.com level for ns1.yorick.mooo.com, so it can be found. I don't see a way to do that in afraid.org, either, but maybe I'm missing something in the web interface. Even if that is possible - and if so, I'd love to learn how it's done in their interface - that's still not TLD glue, and won't get you through Sage.

Whether afraid.org's servers are reachable over AAAA is rather beside the point. The glue has to be at TLD level for this test; the afraid.org name servers would never get involved in the query, anyway, if TLD glue could be provided.

To be fair, this is not afraid.org's fault in the least. I'm not even sure a subdomain service like this _can_ get TLD glue entered for all those subdomains. I can see the operators of the TLD registry objecting to such an idea.

The discussion really is only about "what is TLD glue", and "how do you get it", and possibly "and then how can you complete Sage on the afraid.org subdomain you started out with, once you have TLD glue" - not about "whose fault is this" (nobody's, truly) or "rabble rabble afraid.org should" (they should be given lots of beer for providing an awesome and free service).

This is one of those things that makes me angry because it wastes my time. IF IT IS IMPOSSIBLE TO USE AFRAID.ORG YOU NEED TO STATE THAT IN BIG FREAKING WORDS ON YOUR HOME PAGE! Otherwise you are real jerks wasting lots of people's time. Time to chalk he.net as another horribly stupid site with an eye bleeding design. Your language is vague, your directions are incomplete, and you are underhandedly biasing people against IPv6. TRY AND MAKE IT MORE DIFFICULT, WHY DON'T YOU. I mean, sheesh, life is hard enough without unnecessarily complicating things. EPIC FAILURE. >:(

IPv6 Glue is submitted at the registrar level either by creating NS host records with IPv6 addresses or setting other NS authoritative with existing IPv6 Glue, for your domain. If your TLD doesn't support glue, you can use another NS in a different domain as 'out of bailiwick', as long as that NS you are using has had glue configured with their registrar.

Afraid.org isn't our responsibility or service, nor are we aware of how they've configured the availability of their services. I personally happen to have only known of their free reverse DNS for IPv6 allocations service, which is commendable and works quite well.

We've provided no walk-though on how to complete from Newbie through Sage, except for a handful of various software configuration examples, and a general idea on what each level tests for. There is no goal achieved in spoon-feeding answers. The better goal is to get people thinking and looking at their various services and learn how to get them up and running on IPv6. Answers can and will be found by researching online, as well as asking the community or even us directly.

I would say, in contrast to the comment about creating a bias against learning about IPv6, that the almost 7,000 users (as of this post) that have decided to try the free online certification program seem inclined to want to learn something more about IPv6.

well, like old wise man said "no pain, no gain"  ;)
honestly, in my experiences with ipv6, he.net/tunnelbrokers.net do the excelent job/service for me.
their staffs are very responsive, eventhough this service is without SLA.

my knowledges is getting better and better dealing with ipv6 stuffs, configuring daemons(smtp,pop3,dns,http), routing  etc..

thanks to he.net and their staffs  :)

dielaughing: Really, now? When I started, I only had the vaguest idea what "glue" was. "Bailiwick" sounded like something out of a Dickensian novel. All that time-wasting and googling and head-scratching, getting to Guru only to be stuck at Sage again, pondering the relative merits of "feed a friend some beer and have him take care of it" vs. "get my own domain and really see what setting up glue looks like" - I had a blast!

So, yeah - if taking part in such a fun, hands-on learning exercise gets your blood roiling so badly, then it may be time to move on. Or, alternatively and preferably, you could step back a few steps, take a deep breath, and treat this as the excellent teaching tool it is. The clues on how to finish the test are so thick in this post, they may amount to violating HE's "no step-by-step walkthrough" rule.

Quote from: dielaughing on August 09, 2009, 01:27:23 AM
This is one of those things that makes me angry because it wastes my time. IF IT IS IMPOSSIBLE TO USE AFRAID.ORG YOU NEED TO STATE THAT IN BIG FREAKING WORDS ON YOUR HOME PAGE! Otherwise you are real jerks wasting lots of people's time. Time to chalk he.net as another horribly stupid site with an eye bleeding design. Your language is vague, your directions are incomplete, and you are underhandedly biasing people against IPv6. TRY AND MAKE IT MORE DIFFICULT, WHY DON'T YOU. I mean, sheesh, life is hard enough without unnecessarily complicating things. EPIC FAILURE. >:(

IMHO, I'm grateful that HE is providing the tunnels, this forum, and the certification tests, which are both very useful, fun, and do I even need to mention, free?

Part of the fun of doing the certification is actually learning about IPv6 and configuring and operating services in a v6 environment.  It's not HE's place to handhold people through the process.  I suggest you google "DNS glue records" and try to understand what it means. 

Do you really expect HE to provide some sort of list of registrars that support v6 glue?  It would be ridiculous to ask them.  And it's not their job, it's yours.  Google is your friend here too.  (suggestion: godaddy supports it, at least under the .cc TLD, others?  Find out!  Do your homework!)  Perhaps there should be a sticky thread listing these to help out a bit (if there isn't one already), but HE should have no obligation to come up with the list themselves.

Honestly, the cert process shouldn't be very difficult to anyone with a bit of systems and/or network administration experience.  Most things, particularly DNS glue, work the same way it does under IPv4.  So it should be familiar.  For "curious users" or students, well, there's obviously a learning curve.  But that's sort of the point, isn't it?  Google, wikipedia, etc, etc, are there for you.

I realize that your post was probably made whilst experiencing immense frustration, but a post like yours isn't just looking a gift-horse in the mouth, it's kicking it.  Perhaps you should take after your nick a bit more, and not take this stuff quite so seriously?

Your requirements are false, your use of terms like "end point" only serves to create useless, redundant, and confusing jargon, and I ALREADY KNOW EVERYTHING ABOUT IPv6! I'm flat out calling your methods frustratingly retarded. I'm not angry because I don't understand. I'm angry because you are calling your stupid tutorial quiz a "certification test". While it might be great for noobs, you site design is so bad, so thoroughly counterintuitive, that it just pisses me off. Taking you at your word, following the requirements, will not suffice to complete the exam. Go back and read the "All you need" part and contrast that with the actual records you are trying to retrieve. Ah ha! Maybe you should point out either exactly what you seek, or fix the tragic clusterf**k that is your site design and requirement information. I know you won't because this is just a giant social engineering experiment to scrape a bunch of info from the witless masses. You get that when they sign up. You don't need them to complete it. That would only cost you money. You have a financial interest in keeping it as f**king lame as it is now.

 :o  OK.  This has got to be a troll.

If you have any positive constructive criticism now is the time to share. We're always more than happy to listen to suggestions and work to implement changes for the better. Also if you need help getting beyond Explorer (http://ipv6.he.net/certification/scoresheet.php?pass_name=dielaughing), please feel free to ask for help or advice. We're absolutely willing to help anyone that is stuck, especially those that know everything about IPv6 like configuring web-servers. In point, we're also working on some presentations (video, and not outright walk-throughs) about the certification program that will contain some explanation about each level, and how to progress.

If you are truly this upset and reconciliation appears impossible, and would like to no longer participate in the certification program and tunnelbroker.net, you can ask us to close out the account and remove all personal information. We will honor such a request. If this is just honest to goodness trolling, then I don't feel a need to continue this discussion, and won't.

Quote from: dielaughing on August 09, 2009, 05:03:09 AM
Your requirements are false, your use of terms like "end point" only serves to create useless, redundant, and confusing jargon, and I ALREADY KNOW EVERYTHING ABOUT IPv6! I'm flat out calling your methods frustratingly retarded. I'm not angry because I don't understand. I'm angry because you are calling your stupid tutorial quiz a "certification test". While it might be great for noobs, you site design is so bad, so thoroughly counterintuitive, that it just pisses me off. Taking you at your word, following the requirements, will not suffice to complete the exam. Go back and read the "All you need" part and contrast that with the actual records you are trying to retrieve. Ah ha! Maybe you should point out either exactly what you seek, or fix the tragic clusterf**k that is your site design and requirement information. I know you won't because this is just a giant social engineering experiment to scrape a bunch of info from the witless masses. You get that when they sign up. You don't need them to complete it. That would only cost you money. You have a financial interest in keeping it as f**king lame as it is now.

Wow, you need to try and relax some...

The "Certification" is an unofficial process where people can basically prove to themselves they understand and can work with IPv6 technology.  To complete the tests you need to be able to complete a number of tasks, one of them is the test you seem to be so upset about.  The test is not there to make you mad, it's there to help you understand more about IPv6.  If your registrar doesn't support IPv6 glue contact them and ask them to add support.  Do some research on IPv6 glue and see who does and does not support it.

Like any type of training or certification HE seeks to help people understand IPv6 from top to bottom and encourage the growth of the system.  You say you fully understand IPv6, that's great.  Not everyone does when they first get here and they can learn a lot from the system.  The certification isn't going to get you an extra 10k a year at your job or anything, so why stress it?

Is this site the most interesting looking one I have ever seen?  No, not even close.  But it is very functional and fast.  It gets the job done, I'm glad they didn't spend all the time and effort on making it pretty and worked on it's functionality instead.  I have yet to find another Tunnel Broker in the US that allows you to create an account and setup a tunnel in under 5 minutes.  But not all services are for all people, nobody is forcing you to use HE, if you do not like them then do not use them.

HE has the ability to get a lot of useful data from their IPv6 tunnel system.  Take for example the daily tests where people send in traceroutes, pings and other information.  It bumps your cert numbers but more importantly for them it helps them log valuable data about their network.  What other providers do and do not have IPv6 support, how well does HE's peering allow access to networks around the world, what kind of speeds do you get around the world, etc. It's a win win system, I as the user of HE's tunnel service learn how to work with IPv6 and they improve their network at the same time.

How much money do you think HE spends on these free services they provide us?  Don't you think they are due something in return?  I salute HE and any Tunnel Broker for helping the Internet community test and grow the IPv6 system.  It's enthusiast that made the Internet what it is today, and that very same type of person is what is needed to drive IPv6 expansion.

The bottom line is HE is doing this on their dime, they are spending resources on something to try and help people understand and expand IPv6.  If the hand out isn't up to your standards, go look for someone else to spend their money to give you something for free the way you want to receive it.  When you spend your money for a service like this then you can complain about it.  Until that day comes either accept the free service or move on, there is no need to bash HE or any other service provider because your registrar isn't up to par.

I don't see how a domain under the .COM TLD would have glue records for afraid.org (since the latter is under the .ORG TLD).  PIR does implement IPv6 glue in the .ORG TLD.

Being IPv6 reachable and having IPv6 glue are separate things.

If you want an IPv6 reachable free DNS service in .ORG, try Xname.  Its "ns2" has IPv6 glue.

that's true, .com TLD cannot have glue record for *.afraid.org or any sub.domain.org.
in my real practise i cannot add out-of-zone ns with host(a/aaaa) record on registrar.but i can add them as authoritative ns.
*.afraid.org is just  a zones, any NS on different TLD(with ipv6 glue on its own zone) can be authoritative for *.afraid.org zones.

CMIIW

Quote from: snarked on August 09, 2009, 12:07:33 PM
Being IPv6 reachable and having IPv6 glue are separate things.

Yes.

Quote from: snarked on August 09, 2009, 12:07:33 PM
I don't see how a domain under the .COM TLD would have glue records for afraid.org (since the latter is under the .ORG TLD).  PIR does implement IPv6 glue in the .ORG TLD.

Well, I feel like a broken record at this point, so I'll just point these out - some fiddling and hitting the "Sage" test button will show you what I'm talking about:

- Think out-of-bailiwick - think NS record on your subdomain - you're not going to use the afraid.org name servers for anything but delivering your NS record. What matters is what .TLD your NS is under, since that's where the Sage test does its glue checking.
- I finished Sage on this account with yorick.mooo.com (hosted by afraid.org) and an out-of-bailiwick NS on a .com I own. I tried finishing it with an out-of-bailiwick subdomain on v6ns.org, but that failed because of lack of glue.

QuoteI tried finishing it with an out-of-bailiwick subdomain on v6ns.org, but that failed because of lack of glue.

There shouldn't be any glue as your domain is a .com and your name servers are .org.

Glue isn't merely an additional record that provides an address for a name server.  Glue is the provision of an address for a name server that exists in the ZONE it is serving that would be unreachable if it weren't for the glue record itself.

I noticed a few people mentioned on here that the glue records are kept on registrar's name servers for a given TLD.

I've always been under the impression that the registrars just submitted these host/glue records to whoever actually maintained the master name servers for a particular TLD via a back channel/process of some type.  Then they'd be distributed via normal DNS processes or whatever.

Is this a false impression?  Perhaps the registrars themselves all run servers for the TLDs they participate in, in a distributed fashion, and have some process whereby the can all enter the glue and domains, etc, into the TLD zone master servers? 

I guess I'm curious how things work at that level.  Of course it could also vary by TLD.

Also, nostalgia:  anyone remember the times when one would have to submit new domain requests and/or host record requests to NIC.DDN.MIL or hostmaster@internic.net via emailed templates?  :P

Quote from: jimb on August 10, 2009, 04:43:36 PM
I noticed a few people mentioned on here that the glue records are kept on registrar's name servers for a given TLD.

I've always been under the impression that the registrars just submitted these host/glue records to whoever actually maintained the master name servers for a particular TLD via a back channel/process of some type.  Then they'd be distributed via normal DNS processes or whatever.

Kept on the registry's, not registrar's, name servers for a given TLD.

So, yes, you are right: Glue is a host record for your NS kept by "whoever maintains the authoritative name servers for a particular TLD" - the registry for that TLD.

Quote from: snarked on August 10, 2009, 01:18:49 PM

QuoteI tried finishing it with an out-of-bailiwick subdomain on v6ns.org, but that failed because of lack of glue.

There shouldn't be any glue as your domain is a .com and your name servers are .org.

Oh, blood and shale. Snarked, we're running in circles. This isn't about what should be, it's about what is. Specifically, it's about how the Sage test behaves. From a functional perspective, sure, you are right - v6ns.org's NS is AAAA reachable with ipv6 glue at .org, it has the AAAA records for ns1.sub.v6ns.org, and therefore the "ipv6 chain" is not broken, and everyone should go home happy.

Except, this is about what Sage tests for - and it tests for a AAAA record for your NS at the TLD, whether you're in-bailiwick or out-of-bailiwick, whether your NS is reachable purely through v6 by other means or whether it is not. Doesn't matter to the Sage test.

Do me a favor - just test it. Start a cert process with a domain hosted on afraid.org - use something not ending in .org for giggles - then set out-of-bailiwick NS from yoursub.v6ns.org, and see how the tests behave. You'll pass Guru and be stuck at Sage.

Railing against that with "shoulds" is not very useful, in my book - that doesn't get the job done. The job in this case is to pass Sage. And that's what I aim to provide advice for.

I'm not saying that there isn't a problem with an IPv6-only DNS walk that is required to pass the test.

However, the cause is NOT due to IPv6 glue records.  The cause is not having DNS servers with IPv6 addresses (which need NOT be glue records).  When the target zone is under a different TLD than the TLD(s) of the name servers that serve it, glue records don't exist (by definition).

Quote from: snarked on August 11, 2009, 11:01:12 AM
However, the cause is NOT due to IPv6 glue records.  The cause is not having DNS servers with IPv6 addresses (which need NOT be glue records).  When the target zone is under a different TLD than the TLD(s) of the name servers that serve it, glue records don't exist (by definition).

Well, hmm, no? The DNS Servers still have AAAA records, and IPv6 addresses - needed for Guru. And that works fine.

As for out-of-bailiwick not having glue records by definition - whelp, that depends on what your definition of the word "is" is. Heh. In an ipv4 world, sure, you're right. In an IPv6 world, it's all about that unbroken v6 chain - so maybe "glue" isn't really the right term, and we should just call it a TLD AAAA host record - but then, that's a mouthful, and v6 glue is easier to say.

At any rate, that is what Sage tests for - the AAAA host record existing at the TLD level, whether you're in, out or between bailiwicks.

I think I'll rest my case, now.

Quote from: yorick on August 11, 2009, 03:59:05 AM

Quote from: jimb on August 10, 2009, 04:43:36 PM
I noticed a few people mentioned on here that the glue records are kept on registrar's name servers for a given TLD.

I've always been under the impression that the registrars just submitted these host/glue records to whoever actually maintained the master name servers for a particular TLD via a back channel/process of some type.  Then they'd be distributed via normal DNS processes or whatever.

Kept on the registry's, not registrar's, name servers for a given TLD.

So, yes, you are right: Glue is a host record for your NS kept by "whoever maintains the authoritative name servers for a particular TLD" - the registry for that TLD.

Ah.  Maybe I misread registry as registrar.  Thanks for clearing it up for me.

RE - Yorick:  You don't understand what "glue" means.  It's defined in the DNS RFCs with a specific meaning.

Those IPv6 address records are NOT glue records.  They are for name servers whose hostnames are outside of the TLD of the domain being accessed.

Only address records for name servers INSIDE the zone (domain) they are part of are glue records (when at the parent zone's name servers).  Other address records for name servers are not glue records. 

both yorick and snarked are right  :) in my perspective.
they're just not "in-synch" each oher  ;D

they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

** just joking **

Quote from: leenoux on August 12, 2009, 08:25:41 PM
they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

You're right about that - which is why this has now moved to PM. I hope those who are trying to complete Sage on afraid.org can still figure out how to do that from this at-times contentious thread. It certainly can be done, no matter what you end up calling the method by which it is done.  ;D

Quick question for those who have made it through sage:

I currently have been working through the cert stages with a domain hosted at home.  That domain, abc.net, currently has two nameservers alpha.bravo.org and charlie.delta.com.  Both of those domain records are maintained at name.com who don't seem to support adding glue records.  On the other hand, abc.net is registered at GoDaddy, so I could easily add an IPv6 hostname to its record (e.g. ns1.abc.net) which could then have a glue record (if I understand the usage here correctly).

I wonder though if one can register a nameserver with only an IPv6 address?

Secondly, at this point the domain abc.net would have three nameservers.  Does the test check all three for glue records, or can I get past with only one?

Yes.  You can register a host record with only IPv6.  I did it for mine.  Worked with the test too.

My setup also had two IPv4 only name servers, and one IPv6 only name server.  Sage worked.

I can't quite remember if I used my 2nd level domain, or a subdomain for the Sage test.  I think I used a subdomain.  But I added that name server to my 2nd level too, along with the glue record (which means I get queries over IPv6 for my domain sometimes).

(EDIT: to clarify, the IPv6 name server I added was named the same as the subdomain, and listed as the name server for both the subdomain, and as one of the servers for the parent 2nd level domain)

Thank you jimb... That did the trick.  I was getting confused by reading some of the posts in this thread, and was beginning to believe that these glue records were somehow different than the standard nameserver glue records.

Got mine added and waited for the he.net boxes to expire the old data, and now everything is golden.

I guess that feature is one more thing to consider when comparing domain name registrars.  I've emailed name.com in re: their support for IPv6 nameserver definitions, but have not yet received a response.  Guess I need to leave the nameservers on GD.

Again, many thanks for the quick clarification...

A Sage :)

Hi,
I think i have my setup correct just the test is not working?

http://network-tools.com/default.asp?prog=dnsrec&host=1.qld-rural.info

The domain i'm testing is 1.qld-rural.info

Entries at afraid.
   1.qld-rural.info (G)   NS   ns1.1.qld-rural.info
   1.qld-rural.info (G)   NS   ns2.1.qld-rural.info
   ns1.1.qld-rural.info (G)   A   60.241.215.178
   ns1.1.qld-rural.info (G)   AAAA   2001:0470:b8d9:0056:0000:0000:0000:000
   ns2.1.qld-rural.info (G)   A   204.42.254.5
   ns2.1.qld-rural.info (G)   AAAA   2001:418:3f4::5


The test is looking up the root nameservers?

NS Records: ns.1.qld-rural.info.
-TLD: info
-Server: b0.info.afilias-nst.org.
-Output: No Record
-Server: a2.info.afilias-nst.info.
-Output: No Record
-Server: b2.info.afilias-nst.org.
-Output: No Record
-Server: d0.info.afilias-nst.org.
-Output: No Record
-Server: a0.info.afilias-nst.info.
-Output: No Record
-Server: c0.info.afilias-nst.info.
-Output: No Record
1.qld-rural.info
1.qld-rural.info

# dig ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44138
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;ns1.1.qld-rural.info.          IN      AAAA

;; ANSWER SECTION:
ns1.1.qld-rural.info.   86400   IN      AAAA    2001:470:b8d9:56::1

;; AUTHORITY SECTION:
1.qld-rural.info.       86400   IN      NS      ns2.1.qld-rural.info.
1.qld-rural.info.       86400   IN      NS      ns1.1.qld-rural.info.

;; ADDITIONAL SECTION:
ns1.1.qld-rural.info.   86400   IN      A       60.241.215.178
ns2.1.qld-rural.info.   86400   IN      A       204.42.254.5
ns2.1.qld-rural.info.   86400   IN      AAAA    2001:418:3f4::5

;; Query time: 244 msec
;; SERVER: 60.241.215.178#53(60.241.215.178)
;; WHEN: Fri Nov 27 07:02:19 2009
;; MSG SIZE  rcvd: 158


OK, but why should "1.qld-rural.info" be listed at the ".info" name servers?

"qld-rural.info" is the domain for which the ".info" servers would list NS records.

"1.qld-rural.info" is properly listed at the "afraid.org" servers with a delegation that includes glue.  Since all 4 servers for "qld-rural.info" are NOT under ".info" (but are under the ".org" TLD), no glue is needed at that level.


PS:  I prefer the advanced interface:  http://network-tools.com/nslook/Default.asp

From "dig +trace":

Quote.         518400 IN NS E.ROOT-SERVERS.NET.
.         518400 IN NS K.ROOT-SERVERS.NET.
.         518400 IN NS M.ROOT-SERVERS.NET.
.         518400 IN NS H.ROOT-SERVERS.NET.
.         518400 IN NS F.ROOT-SERVERS.NET.
.         518400 IN NS J.ROOT-SERVERS.NET.
.         518400 IN NS I.ROOT-SERVERS.NET.
.         518400 IN NS C.ROOT-SERVERS.NET.
.         518400 IN NS B.ROOT-SERVERS.NET.
.         518400 IN NS D.ROOT-SERVERS.NET.
.         518400 IN NS L.ROOT-SERVERS.NET.
.         518400 IN NS G.ROOT-SERVERS.NET.
.         518400 IN NS A.ROOT-SERVERS.NET.
;; Received 299 bytes from ::1#53(::1) in 39 ms

info.         172800 IN NS C0.INFO.AFILIAS-NST.info.
info.         172800 IN NS D0.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A0.INFO.AFILIAS-NST.info.
info.         172800 IN NS B2.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A2.INFO.AFILIAS-NST.info.
info.         172800 IN NS B0.INFO.AFILIAS-NST.ORG.
;; Received 448 bytes from 2001:500:2f::f#53(F.ROOT-SERVERS.NET) in 64 ms

qld-rural.info.      86400 IN NS ns1.qld-rural.info.
qld-rural.info.      86400 IN NS ns2.qld-rural.info.
qld-rural.info.      86400 IN NS ns3.qld-rural.info.
qld-rural.info.      86400 IN NS ns4.qld-rural.info.
;; Received 181 bytes from 2001:500:1b::1#53(C0.INFO.AFILIAS-NST.info) in 79 ms

1.qld-rural.info.   3600 IN   NS ns2.1.qld-rural.info.
1.qld-rural.info.   3600 IN   NS ns1.1.qld-rural.info.
;; Received 169 bytes from 67.19.72.206#53(ns1.qld-rural.info) in 43 ms

1.qld-rural.info.   86400 IN SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. (
            2009112501 ; serial
            28800      ; refresh (8 hours)
            7200       ; retry (2 hours)
            864000     ; expire (1 week 3 days)
            86400      ; minimum (1 day)
            )
1.qld-rural.info.   86400 IN NS ns1.1.qld-rural.info.
1.qld-rural.info.   86400 IN NS ns2.1.qld-rural.info.
;; Received 211 bytes from 2001:418:3f4::5#53(ns2.1.qld-rural.info) in 68 ms

SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns2.1.qld-rural.info in 345 ms.
SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns1.1.qld-rural.info in 271 ms.

Noting that "ns[1-4].qld-rural.info" map to the same addresses as "ns[1-4].afraid.org."

Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

You need think hard about what the glue is and how it's used. When you do this, you'll see you can use tunnelbroker's free DNS in conjunction with afraid to complete the test. It took me a day or 2 to wrap my brain around the solution, but it was worth it.

Andrew

Quote from: dualarrow on March 11, 2012, 04:22:35 AM
Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

Indeed! I have also just completed Sage test with domain from afraid.org. It all turned out to be very simple after some thinking and googling.
Sure it is much better (from the educational point of view) to setup a DNS server, but I had this done for Guru test, so I don't think I've missed anything (except paying the registrar for domain with a glue record of course =).

I am curious how you pulled that off considering that none of the afraid.org DNS servers have an IPv6 address at all. Can you point me to a domain, where you made it work?

Actually ns1.afraid.org has AAAA record:

%host ns1.afraid.org | grep IPv6
ns1.afraid.org has IPv6 address 2607:f0d0:1102:d5::2

Domain used for test is onehalf3544.strangled.net

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMActually ns1.afraid.org has AAAA record

But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMDomain used for test is onehalf3544.strangled.net

That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig commanddig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?

Quote from: kasperd on October 26, 2012, 11:03:20 AM

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMActually ns1.afraid.org has AAAA record

But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.

I agree.

Quote from: kasperd on October 26, 2012, 11:03:20 AM

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMDomain used for test is onehalf3544.strangled.net

That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig command

Code Select Expand

dig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?

Maybe their dig is buggy, but they don't even run it with "-6" option.
And their checks don't care about the entire chain - Guru test runs the following (http://ipv6.he.net/presentations/guru.pdf):

dig NS $domain
dig AAAA $NS
dig AAAA $domain @$nsAAAA


Sage test (http://ipv6.he.net/presentations/sage.pdf):

dig NS $domain
dig AAAA $ns @$tld_server


All those commands run successfully even with "-6" option.

But I agree that tests should be tweaked to check for ipv6-only reachability.