• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

More DNS guidance?

Started by neillt, November 23, 2008, 09:10:37 AM

Previous topic - Next topic

neillt

Hello!  I am trying to perform the Guru DNS tests, and it seems to be failing, even though my authoritative DNS servers are IPv6 enabled and have AAAA records for them.

When I perform the test, it immediately bounces back with Couldn't get AAAA for NS.  It would be very helpful if it produced a little more output so that maybe I could figure out what is going on.  Everything seems OK here, and I can see everything using dig from several networks.

I am trying to test neillt.com... here is some dig output from my end, querying my upstream Time Warner Business Class DNS servers...
$ dig neillt.com any

; <<>> DiG 9.4.2-P2 <<>> neillt.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6407
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;neillt.com.                    IN      ANY

;; ANSWER SECTION:
neillt.com.             30039   IN      NS      xen-server.neillt.com.

;; AUTHORITY SECTION:
neillt.com.             30039   IN      NS      xen-server.neillt.com.

;; ADDITIONAL SECTION:
xen-server.neillt.com.  30039   IN      A       67.52.144.205
xen-server.neillt.com.  30039   IN      AAAA    2001:470:1f05:216:21c:c0ff:fe77:64b4

;; Query time: 21 msec
;; SERVER: 66.75.160.15#53(66.75.160.15)
;; WHEN: Sun Nov 23 08:56:47 2008
;; MSG SIZE  rcvd: 111


I also looked at what is coming across from my AT&T Cell Data card...
Neill:~ neillt$ dig neillt.com any

; <<>> DiG 9.4.2-P2 <<>> neillt.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34408
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;neillt.com.                    IN      ANY

;; ANSWER SECTION:
neillt.com.             172731  IN      NS      dns2.thorconsulting.org.
neillt.com.             172731  IN      NS      xen-server.neillt.com.

;; AUTHORITY SECTION:
neillt.com.             172731  IN      NS      xen-server.neillt.com.
neillt.com.             172731  IN      NS      dns2.thorconsulting.org.

;; ADDITIONAL SECTION:
xen-server.neillt.com.  172731  IN      A       67.52.144.205
xen-server.neillt.com.  172731  IN      AAAA    2001:470:1f05:216:21c:c0ff:fe77:64b4

;; Query time: 142 msec
;; SERVER: 209.183.54.151#53(209.183.54.151)
;; WHEN: Sun Nov 23 09:05:04 2008
;; MSG SIZE  rcvd: 162



And just in case it's the secondary DNS server record screwing it up there... here is the dig for that server.

; <<>> DiG 9.4.2-P2 <<>> dns2.thorconsulting.org any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;dns2.thorconsulting.org.       IN      ANY

;; ANSWER SECTION:
dns2.thorconsulting.org. 3600   IN      A       67.52.144.204
dns2.thorconsulting.org. 3600   IN      AAAA    2001:470:1f05:216:21c:c0ff:fe77:64b4

;; AUTHORITY SECTION:
thorconsulting.org.     3600    IN      NS      ns17.domaincontrol.com.
thorconsulting.org.     3600    IN      NS      ns18.domaincontrol.com.

;; ADDITIONAL SECTION:
ns17.domaincontrol.com. 8877    IN      A       216.69.185.9

;; Query time: 2189 msec
;; SERVER: 209.183.54.151#53(209.183.54.151)
;; WHEN: Sun Nov 23 09:05:54 2008
;; MSG SIZE  rcvd: 156


If anyone has any clue on what might be screwing this up, I am all ears.  To be honest, I don't know what it is.

snarked

From those 3 digs, the NS records in the authority section differ.

kriteknetworks

dig @A.GTLD-SERVERS.NET ns neillt.com

; <<>> DiG 9.4.2-P2 <<>> @A.GTLD-SERVERS.NET ns neillt.com
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29925
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;neillt.com.                    IN      NS

;; ANSWER SECTION:
neillt.com.             172800  IN      NS      dns2.thorconsulting.org.
neillt.com.             172800  IN      NS      xen-server.neillt.com.

;; ADDITIONAL SECTION:
xen-server.neillt.com.  172800  IN      A       67.52.144.205
xen-server.neillt.com.  172800  IN      AAAA    2001:470:1f05:216:21c:c0ff:fe77:64b4


One NS appears to have ipv6 glue if I read this correctly...

snarked

QuoteOne NS appears to have ipv6 glue if I read this correctly...
I believe that ALL name servers must have IPv6 addresses in order to pass the test.

neillt

Well, I didn't change a thing, and just tried re-running the test today.  Worked just fine, and I am all the way to Sage now.

Maybe something was cached on a DNS server somewhere that wasn't right....   ???

jrcovert

It would be nice to hear from the test designer.

An earlier poster suggested that there had to be glue records for ALL of your NSs in order to pass.  Maybe that's no longer true (seems unrealistic at this point).  There is no glue AAAA record for dns2.thorconsulting.org (in fact, there's no IPv4 glue record, either; see below).  To see the output showing what it needs to look like if there really is a glue record try "host -ra speakup.octothorp.org c0.org.afilias-nst.info".  You need to go directly to the root server for the proper TLD of the NAME SERVER (not the domain itself), and it's best to shut off recursion.

If the earlier poster WAS correct, then it appears that the test has been changed to only require ONE NS to actually have AAAA glue.

/john


$ host -ra dns2.thorconsulting.org c0.org.afilias-nst.info
Trying "dns2.thorconsulting.org"
Using domain server:
Name: c0.org.afilias-nst.info
Address: 2001:500:b::1#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50482
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;dns2.thorconsulting.org.       IN      ANY

;; AUTHORITY SECTION:
thorconsulting.org.     86400   IN      NS      ns18.domaincontrol.com.
thorconsulting.org.     86400   IN      NS      ns17.domaincontrol.com.

Received 96 bytes from 2001:500:b::1#53 in 111 ms

broquea

Quote from: jrcovert on December 28, 2008, 10:05:37 PM
If the earlier poster WAS correct, then it appears that the test has been changed to only require ONE NS to actually have AAAA glue.

Yes, the Sage/glue test only needs 1 name server to have IPv6 glue. The issue was earlier we were still using a database of TLD servers that wasn't up to date. We no longer do that.

jrcovert

Now it's my turn to ask if there isn't still a bug with this test.

I transferred my domain to a registrar who would let me set up IPv6 glue myself, and I created the glue for ns1.covert.org:

$ host -ra ns1.covert.org a0.org.afilias-nst.info
Trying "ns1.covert.org"
Using domain server:
Name: a0.org.afilias-nst.info
Address: 2001:500:e::1#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34860
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 3

;; QUESTION SECTION:
;ns1.covert.org.                        IN      ANY

;; AUTHORITY SECTION:
covert.org.             86400   IN      NS      ns2.easydns.com.
covert.org.             86400   IN      NS      remote2.easydns.com.
covert.org.             86400   IN      NS      ns1.easydns.com.
covert.org.             86400   IN      NS      ns1.covert.org.
covert.org.             86400   IN      NS      remote1.easydns.com.
covert.org.             86400   IN      NS      ns3.easydns.org.
covert.org.             86400   IN      NS      mejac.palo-alto.ca.us.

;; ADDITIONAL SECTION:
ns1.covert.org.         86400   IN      A       72.93.205.54
ns1.covert.org.         86400   IN      AAAA    2001:470:8944:0:20d:93ff:fe3e:52
92
ns3.easydns.org.        86400   IN      A       209.200.177.4

Received 258 bytes from 2001:500:e::1#53 in 428 ms

------

I waited nearly 48 hours to be sure caches were flushed.

Domain: covert.org
Domains TLD: org

NS Records: ns1.covert.org.
-TLD: org
-Server: c0.org.afilias-nst.info.
-Output: No Record
-Server: b2.org.afilias-nst.org.
-Output: No Record
-Server: d0.org.afilias-nst.org.
-Output: No Record
-Server: a2.org.afilias-nst.info.
-Output: No Record
-Server: b0.org.afilias-nst.org.
-Output: No Record
-Server: a0.org.afilias-nst.info.
-Output: No Record

Ooops?  What's wrong?

Thanks/john

kriteknetworks

Looks like its working...


dig @a0.org.afilias-nst.info covert.org ns

; <<>> DiG 9.4.2-P2 <<>> @a0.org.afilias-nst.info covert.org ns
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11287
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;covert.org.                    IN      NS

;; AUTHORITY SECTION:
covert.org.             86400   IN      NS      ns1.covert.org.
covert.org.             86400   IN      NS      ns1.easydns.com.
covert.org.             86400   IN      NS      ns2.easydns.com.
covert.org.             86400   IN      NS      ns3.easydns.org.
covert.org.             86400   IN      NS      mejac.palo-alto.ca.us.
covert.org.             86400   IN      NS      remote1.easydns.com.
covert.org.             86400   IN      NS      remote2.easydns.com.

;; ADDITIONAL SECTION:
ns1.covert.org.         86400   IN      A       72.93.205.54
ns3.easydns.org.        86400   IN      A       209.200.177.4
ns1.covert.org.         86400   IN      AAAA    2001:470:8944:0:20d:93ff:fe3e:5292

;; Query time: 155 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Sun Jan  4 12:52:08 2009
;; MSG SIZE  rcvd: 258

broquea

#9
TLD servers do not answer for host records when queried directly, which is the test. ADDITIONAL isn't a trusted answer for this test.

dig AAAA nameserver @tldserver +short

works for HE: dig aaaa ns2.he.net @B.GTLD-SERVERS.net +short (Network Solutions registered)

works for me personally: dig aaaa ns1.deus-exmachina.net @M.GTLD-SERVERS.net. +short (GoDaddy registered)

jrcovert

Whoa!  It's my understanding that ORG only returns the glue records
in the additional section, and it does it this way whether they are
A or AAAA records.

Note that I explicitly requested "no recursion" (which a TLD server
wouldn't have done anyway, so it wouldn't have been cached from a
previous request, and thus nothing in the additional section COULD
have come from any non-authoritative location).

And besides, the whole point of returning the A and AAAA records for
name servers in the additional section is for efficiency's sake, so
that you get what you want with a single query for the NS records
to the TLD server.

Here's a screen shot of how I set it up in the domain manager last
Friday morning.  http://www6.covert.org/ipv6_glue.jpg

/john

broquea

Quote from: yozh on January 12, 2009, 06:33:42 PM
So for the guru test the register has to support AAAA records ? Or can the name servers just have the records ? My domain yozh.us has the servers for the AAAA but not the tld servers. DO I have to find a new register ?

For guru, we first look up the NS for your domain: dig +short NS $website
Then we ask for AAAA records: dig +short AAAA $ns_entry

Then for part 2, we query the NS' IPv6 address for the website: dig AAAA @$AAAA_record $website +short

Having an IPv6 host record in the TLD server (dig AAAA $ns_entry @TLD +short) isn't until Sage testing.

snarked

OK, but using "$website" for both parts may not work - thus fail domains that are properly reachable.

$ORIGIN example.com.
@       IN SOA etc...
             NS   whatever (assume IPv6 address exists).

NO A or AAAA record.

www   IN AAAA whatever.

No NS records.

Such a domain, properly set up, will fail your test because both parts of the test, although individually passing, will never be done together.

The DOMAIN (or zone cut) will have the NS records.
The HOSTNAME www under the domain is the web server.

Testing "example.com" passes the DNS but fails the web server part.
Testing "www.example.com" fails the DNS but passes the web server part.

Not everyone puts an address record at the domain's/zone's apex.

kriteknetworks

Spooky. I made this exact comment when the certs started, and had issues because I don't A/AAAA/CNAME the actual domain itself, just hosts on it :)

broquea

Ok I was perhaps too generic about $website.

If you entered www.example.com to test your website at Enthusiast, at Guru, you can set the edited domain to example.com.
Then it looks up the NS for example.com
Then it looks up the AAAA for those NS.
Then it queries the IPv6 address of the NS, for the AAAA of www.example.com, not example.com.

Unless all you entered was "example.com" at enthusiast, it won't query for a subdomainless hostname.