Hi,
When going through the reverse DNS check for the cert, I keep getting the 'Failed to get AAAA from MX or your DOMAIN' error.
What exactly is it trying to query? I successfully got my email @lemon.ivy.net, and if I dig my reverse v6 address from various places around the internet, the delegation seems to work fine.
Quote[ajs@lazardo ~]$ dig -x 2001:470:1f07:b:210:5aff:fea7:e8 +trace
; <<>> DiG 9.3.4-P1 <<>> -x 2001:470:1f07:b:210:5aff:fea7:e8 +trace
;; global options: printcmd
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
;; Received 228 bytes from 207.245.82.2#53(207.245.82.2) in 4 ms
ip6.arpa. 172800 IN NS NS-SEC.RIPE.NET.
ip6.arpa. 172800 IN NS NS2.LACNIC.NET.
ip6.arpa. 172800 IN NS TINNIE.ARIN.NET.
ip6.arpa. 172800 IN NS NS.ICANN.ORG.
ip6.arpa. 172800 IN NS SEC1.APNIC.NET.
;; Received 221 bytes from 2001:dc3::35#53(M.ROOT-SERVERS.NET) in 88 ms
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN NS ns3.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN NS ns5.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN NS ns2.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN NS ns4.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN NS ns1.he.net.
;; Received 186 bytes from 2001:610:240:0:53::4#53(NS-SEC.RIPE.NET) in 92 ms
b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS lemon.ivy.net.
;; Received 117 bytes from 2001:470:300::2#53(ns3.he.net) in 83 ms
8.e.0.0.7.a.e.f.f.f.a.5.0.1.2.0.b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 86400 IN PTR lemon.ivy.net.
b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 86400 IN NS lemon.ivy.net.
;; Received 175 bytes from 2001:470:1f07:b:210:5aff:fea7:e8#53(lemon.ivy.net) in 32 ms
dig your_domain MX, see if it gets an AAAA record.
I don't see an MX for lemon.ivy.net (I'm assuming you are wanting to use someone@lemon.ivy.net for the test).
The MX for ivy.net doesn't have an AAAA record, but I'm assuming that's why you were using lemon.ivy.net instead.
[root@jet ~]# dig lemon.ivy.net MX
; <<>> DiG 9.3.4-P1 <<>> lemon.ivy.net MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22225
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;lemon.ivy.net. IN MX
;; AUTHORITY SECTION:
ivy.net. 900 IN SOA castrovalva.ivy.net. carton.ivy.net. 269 2400 960 3456000 900
;; Query time: 168 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:18 2009
;; MSG SIZE rcvd: 86
[root@jet ~]# dig ivy.net MX
; <<>> DiG 9.3.4-P1 <<>> ivy.net MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25393
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ivy.net. IN MX
;; ANSWER SECTION:
ivy.net. 72000 IN MX 10 sakima.ivy.net.
;; AUTHORITY SECTION:
ivy.net. 72000 IN NS ns.aculei.net.
ivy.net. 72000 IN NS ns-castrovalva.ivy.net.
;; ADDITIONAL SECTION:
sakima.ivy.net. 72000 IN A 69.31.131.60
;; Query time: 130 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:45 2009
;; MSG SIZE rcvd: 117
[root@jet ~]# dig sakima.ivy.net AAAA
; <<>> DiG 9.3.4-P1 <<>> sakima.ivy.net AAAA
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;sakima.ivy.net. IN AAAA
;; AUTHORITY SECTION:
ivy.net. 900 IN SOA castrovalva.ivy.net. carton.ivy.net. 269 2400 960 3456000 900
;; Query time: 78 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:51 2009
;; MSG SIZE rcvd: 87
Hi,
i've the same problem (or at least got the same error message), but i can't see anything wrong with my MX record.
# dig @2001:470:20::2 six.trds.de mx
; <<>> DiG 9.4.3-P3 <<>> @2001:470:20::2 six.trds.de mx
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35035
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;six.trds.de. IN MX
;; ANSWER SECTION:
six.trds.de. 60 IN MX 10 helios.six.trds.de.
;; ADDITIONAL SECTION:
helios.six.trds.de. 60 IN AAAA 2001:470:1f0b:751::101
;; Query time: 88 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Thu Sep 10 15:54:02 2009
;; MSG SIZE rcvd: 80
Result is the same for two other public DNS servers i tested. The only problem i could imagine is the nameserver for trds.de, which is IPv4 only (beyond my control), but as the webserver test worked fine, i'm really wondering...
Any suggestions?
You need to add an 'A' record for your nameservers for that test to pass.
(I know, I know. It's an IPv6 test, and your nameservers may be IPv6 only).
I created a pseudo-dummy A record for my nameservers, and it passed (although it did take a few clicks o the 'submit' button ... I think that HE's nameservers try IPv4 connectivity first)
Joel
joel@maestro:~$ dig @74.82.42.42 ns six.trds.de
; <<>> DiG 9.5.1-P2 <<>> @74.82.42.42 ns six.trds.de
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2467
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;six.trds.de. IN NS
;; ANSWER SECTION:
six.trds.de. 53 IN NS ns1.six.trds.de.
;; ADDITIONAL SECTION:
ns1.six.trds.de. 53 IN AAAA 2001:470:1f0b:751::53
;; Query time: 61 msec
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: Fri Sep 11 13:30:43 2009
;; MSG SIZE rcvd: 75
joel@maestro:~$ dig @74.82.42.42 a ns1.six.trds.de
; <<>> DiG 9.5.1-P2 <<>> @74.82.42.42 a ns1.six.trds.de
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53161
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.six.trds.de. IN A
;; Query time: 68 msec
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: Fri Sep 11 13:31:08 2009
;; MSG SIZE rcvd: 33
joel@maestro:~$
Registrars will accept registering a name server with ipv6 only?
Quote from: maestroevolution on September 11, 2009, 11:33:23 AM
You need to add an 'A' record for your nameservers for that test to pass.
[...]
You're right, it worked by hacking in my (non-static) IPv4 address as second nameserver. Rushed through until the sage test, but felt like cheating... ;)
Quote from: dstest01 on September 12, 2009, 01:35:24 AM
Quote from: maestroevolution on September 11, 2009, 11:33:23 AM
You need to add an 'A' record for your nameservers for that test to pass.
[...]
You're right, it worked by hacking in my (non-static) IPv4 address as second nameserver. Rushed through until the sage test, but felt like cheating... ;)
I felt the same way. Of course, I also though it was silly that it checks for IPv4 addresses on an IPv6 test.
Quote from: kriteknetworks on September 11, 2009, 01:35:59 PM
Registrars will accept registering a name server with ipv6 only?
This wasn't a registrar delegation of a domain. This was the sub-delegation of the PTR records from HE to your DNS server.
Apparently that test defaults to using IPv4 connectivity to your DNS server. As I never intended that server to be reachable via IPv4 (because if you want PTR records for IPv6, you should be speaking IPv6), I originally created a AAAA record for it. For this test, if there's no 'A' record for your IPv6 DNS server, the test fails. If there is an A record, it'll try, fail, then try a AAAA lookup, and succeed.
Kinda a quirk of the test... I would prefer it to prefer IPv6 transport to your DNS server by querying for AAAA first... but hey, I passed.
Joel