• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 glue test impossible with afraid.org domains?

Started by miloszgancarz, August 03, 2009, 12:52:39 PM

Previous topic - Next topic

snarked

RE - Yorick:  You don't understand what "glue" means.  It's defined in the DNS RFCs with a specific meaning.

Those IPv6 address records are NOT glue records.  They are for name servers whose hostnames are outside of the TLD of the domain being accessed.

Only address records for name servers INSIDE the zone (domain) they are part of are glue records (when at the parent zone's name servers).  Other address records for name servers are not glue records. 

leenoux

#31
both yorick and snarked are right  :) in my perspective.
they're just not "in-synch" each oher  ;D

they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

** just joking **

yorick

Quote from: leenoux on August 12, 2009, 08:25:41 PM
they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

You're right about that - which is why this has now moved to PM. I hope those who are trying to complete Sage on afraid.org can still figure out how to do that from this at-times contentious thread. It certainly can be done, no matter what you end up calling the method by which it is done.  ;D

swschulz

Quick question for those who have made it through sage:

I currently have been working through the cert stages with a domain hosted at home.  That domain, abc.net, currently has two nameservers alpha.bravo.org and charlie.delta.com.  Both of those domain records are maintained at name.com who don't seem to support adding glue records.  On the other hand, abc.net is registered at GoDaddy, so I could easily add an IPv6 hostname to its record (e.g. ns1.abc.net) which could then have a glue record (if I understand the usage here correctly).

I wonder though if one can register a nameserver with only an IPv6 address?

Secondly, at this point the domain abc.net would have three nameservers.  Does the test check all three for glue records, or can I get past with only one?

jimb

#34
Yes.  You can register a host record with only IPv6.  I did it for mine.  Worked with the test too.

My setup also had two IPv4 only name servers, and one IPv6 only name server.  Sage worked.

I can't quite remember if I used my 2nd level domain, or a subdomain for the Sage test.  I think I used a subdomain.  But I added that name server to my 2nd level too, along with the glue record (which means I get queries over IPv6 for my domain sometimes).

(EDIT: to clarify, the IPv6 name server I added was named the same as the subdomain, and listed as the name server for both the subdomain, and as one of the servers for the parent 2nd level domain)

swschulz

Thank you jimb... That did the trick.  I was getting confused by reading some of the posts in this thread, and was beginning to believe that these glue records were somehow different than the standard nameserver glue records.

Got mine added and waited for the he.net boxes to expire the old data, and now everything is golden.

I guess that feature is one more thing to consider when comparing domain name registrars.  I've emailed name.com in re: their support for IPv6 nameserver definitions, but have not yet received a response.  Guess I need to leave the nameservers on GD.

Again, many thanks for the quick clarification...

A Sage :)


deags

#36
Hi,
I think i have my setup correct just the test is not working?

http://network-tools.com/default.asp?prog=dnsrec&host=1.qld-rural.info

The domain i'm testing is 1.qld-rural.info

Entries at afraid.
   1.qld-rural.info (G)   NS   ns1.1.qld-rural.info
   1.qld-rural.info (G)   NS   ns2.1.qld-rural.info
   ns1.1.qld-rural.info (G)   A   60.241.215.178
   ns1.1.qld-rural.info (G)   AAAA   2001:0470:b8d9:0056:0000:0000:0000:000
   ns2.1.qld-rural.info (G)   A   204.42.254.5
   ns2.1.qld-rural.info (G)   AAAA   2001:418:3f4::5


The test is looking up the root nameservers?

NS Records: ns.1.qld-rural.info.
-TLD: info
-Server: b0.info.afilias-nst.org.
-Output: No Record
-Server: a2.info.afilias-nst.info.
-Output: No Record
-Server: b2.info.afilias-nst.org.
-Output: No Record
-Server: d0.info.afilias-nst.org.
-Output: No Record
-Server: a0.info.afilias-nst.info.
-Output: No Record
-Server: c0.info.afilias-nst.info.
-Output: No Record
1.qld-rural.info
1.qld-rural.info


# dig ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44138
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;ns1.1.qld-rural.info.          IN      AAAA

;; ANSWER SECTION:
ns1.1.qld-rural.info.   86400   IN      AAAA    2001:470:b8d9:56::1

;; AUTHORITY SECTION:
1.qld-rural.info.       86400   IN      NS      ns2.1.qld-rural.info.
1.qld-rural.info.       86400   IN      NS      ns1.1.qld-rural.info.

;; ADDITIONAL SECTION:
ns1.1.qld-rural.info.   86400   IN      A       60.241.215.178
ns2.1.qld-rural.info.   86400   IN      A       204.42.254.5
ns2.1.qld-rural.info.   86400   IN      AAAA    2001:418:3f4::5

;; Query time: 244 msec
;; SERVER: 60.241.215.178#53(60.241.215.178)
;; WHEN: Fri Nov 27 07:02:19 2009
;; MSG SIZE  rcvd: 158

snarked

#37
OK, but why should "1.qld-rural.info" be listed at the ".info" name servers?

"qld-rural.info" is the domain for which the ".info" servers would list NS records.

"1.qld-rural.info" is properly listed at the "afraid.org" servers with a delegation that includes glue.  Since all 4 servers for "qld-rural.info" are NOT under ".info" (but are under the ".org" TLD), no glue is needed at that level.


PS:  I prefer the advanced interface:  http://network-tools.com/nslook/Default.asp

From "dig +trace":
Quote.         518400 IN NS E.ROOT-SERVERS.NET.
.         518400 IN NS K.ROOT-SERVERS.NET.
.         518400 IN NS M.ROOT-SERVERS.NET.
.         518400 IN NS H.ROOT-SERVERS.NET.
.         518400 IN NS F.ROOT-SERVERS.NET.
.         518400 IN NS J.ROOT-SERVERS.NET.
.         518400 IN NS I.ROOT-SERVERS.NET.
.         518400 IN NS C.ROOT-SERVERS.NET.
.         518400 IN NS B.ROOT-SERVERS.NET.
.         518400 IN NS D.ROOT-SERVERS.NET.
.         518400 IN NS L.ROOT-SERVERS.NET.
.         518400 IN NS G.ROOT-SERVERS.NET.
.         518400 IN NS A.ROOT-SERVERS.NET.
;; Received 299 bytes from ::1#53(::1) in 39 ms

info.         172800 IN NS C0.INFO.AFILIAS-NST.info.
info.         172800 IN NS D0.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A0.INFO.AFILIAS-NST.info.
info.         172800 IN NS B2.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A2.INFO.AFILIAS-NST.info.
info.         172800 IN NS B0.INFO.AFILIAS-NST.ORG.
;; Received 448 bytes from 2001:500:2f::f#53(F.ROOT-SERVERS.NET) in 64 ms

qld-rural.info.      86400 IN NS ns1.qld-rural.info.
qld-rural.info.      86400 IN NS ns2.qld-rural.info.
qld-rural.info.      86400 IN NS ns3.qld-rural.info.
qld-rural.info.      86400 IN NS ns4.qld-rural.info.
;; Received 181 bytes from 2001:500:1b::1#53(C0.INFO.AFILIAS-NST.info) in 79 ms

1.qld-rural.info.   3600 IN   NS ns2.1.qld-rural.info.
1.qld-rural.info.   3600 IN   NS ns1.1.qld-rural.info.
;; Received 169 bytes from 67.19.72.206#53(ns1.qld-rural.info) in 43 ms

1.qld-rural.info.   86400 IN SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. (
            2009112501 ; serial
            28800      ; refresh (8 hours)
            7200       ; retry (2 hours)
            864000     ; expire (1 week 3 days)
            86400      ; minimum (1 day)
            )
1.qld-rural.info.   86400 IN NS ns1.1.qld-rural.info.
1.qld-rural.info.   86400 IN NS ns2.1.qld-rural.info.
;; Received 211 bytes from 2001:418:3f4::5#53(ns2.1.qld-rural.info) in 68 ms

SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns2.1.qld-rural.info in 345 ms.
SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns1.1.qld-rural.info in 271 ms.
Noting that "ns[1-4].qld-rural.info" map to the same addresses as "ns[1-4].afraid.org."




dualarrow

Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

You need think hard about what the glue is and how it's used. When you do this, you'll see you can use tunnelbroker's free DNS in conjunction with afraid to complete the test. It took me a day or 2 to wrap my brain around the solution, but it was worth it.

Andrew

onehalf3544

Quote from: dualarrow on March 11, 2012, 04:22:35 AM
Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

Indeed! I have also just completed Sage test with domain from afraid.org. It all turned out to be very simple after some thinking and googling.
Sure it is much better (from the educational point of view) to setup a DNS server, but I had this done for Guru test, so I don't think I've missed anything (except paying the registrar for domain with a glue record of course =).

kasperd

I am curious how you pulled that off considering that none of the afraid.org DNS servers have an IPv6 address at all. Can you point me to a domain, where you made it work?

onehalf3544

Actually ns1.afraid.org has AAAA record:

%host ns1.afraid.org | grep IPv6
ns1.afraid.org has IPv6 address 2607:f0d0:1102:d5::2

Domain used for test is onehalf3544.strangled.net

kasperd

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMActually ns1.afraid.org has AAAA record
But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.

Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMDomain used for test is onehalf3544.strangled.net
That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig commanddig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?

onehalf3544

Quote from: kasperd on October 26, 2012, 11:03:20 AM
Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMActually ns1.afraid.org has AAAA record
But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.
I agree.

Quote from: kasperd on October 26, 2012, 11:03:20 AM
Quote from: onehalf3544 on October 26, 2012, 08:03:07 AMDomain used for test is onehalf3544.strangled.net
That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig commanddig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?
Maybe their dig is buggy, but they don't even run it with "-6" option.
And their checks don't care about the entire chain - Guru test runs the following:

dig NS $domain
dig AAAA $NS
dig AAAA $domain @$nsAAAA


Sage test:

dig NS $domain
dig AAAA $ns @$tld_server


All those commands run successfully even with "-6" option.

But I agree that tests should be tweaked to check for ipv6-only reachability.