• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Adding "glue" to BIND

Started by ejlilley, September 12, 2009, 08:52:39 AM

Previous topic - Next topic

ejlilley

My domain has itself one of its name servers (i.e. I control it), so in order to pass the "glue" (sage) test, I assume that I have to add some sort of record to BIND. However, I can't find *any* information about this, anywhere (I've googled, etc.).
Is it the case that adding IPv6 glue is something that is only ever done behind the scenes at registrars, so noone's ever bothered putting any documentation about it anywhere? I could handle AAAA records, and reverse IPv6 DNS fine, but this has completely stumped me.
The sage test gives me 2 options for domain names to test: ugnus.uk.eu.org, and beta.ugnus.uk.eu.org - these actually refer to the same server, but when I try it with the first one the output goes on and on about lots of random DNS servers that it seems to not like, such as "b2.org.afilias-nst.org." ... !!
Trying beta.ugnus.uk.eu.org is even worse -- it has a list of the root (!) name servers, saying there is "No record" in each of them.
So... where am I supposed to go from here? I have absolutely no idea :-)

broquea

Glue is creating an IPv6 record for your nameserver with your registrar, so it gets into the TLD servers for your domain.

For example, I have deus-exmachina.net, so I fall under .net TLD servers. GoDaddy (my registrar) allows me to create AAAA records in addition to my A records for my nameserver entries (host records). Then I can query .net TLD servers for my nameservers' IPv6 records directly and get an answer.

ejlilley

Thanks for the clarification & quick reply.

My domain name is technically a subdomain of eu.org -- so do I regard them as the registrar (and ask them about putting in the records), or does this glue test go straight to the top of the hierarchy and look for glue records for eu.org at _their_ registrar?
So do there have to be glue records at each step of the chain? (both in eu.org's nameservers, and my nameservers (which are a combination of my own server & xname's).

snarked

Glue is not necessary (and technically doesn't exist) if your name servers exist OUTSIDE of your domain.

Glue is needed when your name servers are inside the zone they serve, because they can't be reached in order to query for their own addresses.  (cf. "chicken vs. egg").

ejlilley

So is it impossible to reach the "Sage" level if you don't need glue?
(But doesn't the fact that "ugnus.uk.eu.org" is one of its own name servers mean that I *can* add glue if I really want to?)

broquea

Quote from: ejlilley on September 12, 2009, 12:54:52 PM
So is it impossible to reach the "Sage" level if you don't need glue?
(But doesn't the fact that "ugnus.uk.eu.org" is one of its own name servers mean that I *can* add glue if I really want to?)

The test is for the nameservers authoritative for your domain having ipv6 glue, in or out of bailiwick.

ejlilley

I don't understand your reply at all, sorry  ???

jimb

From your OP it sounds like you couldn't find a good explanation of glue.  FYI, here's a quick explanation of glue.  Suppose this situation:

Domain:bar.org
Name servers for bar.org:ns1 and ns2.bar.org
Host to look up:foo.bar.org

Here are roughly the steps a querying name server would take in the resolution process (leaving out some detail and intermediate steps, and presuming no cached entries):

1.Name server queries a root name server for foo.bar.org (a list of root name servers is of course kept in the named.root or named.cache files).
2.Root name server returns NS records for .org Top Level Domain (TLD).
3.Name server queries .org name servers for foo.bar.org.
4..org name server returns a list of name servers for bar.org (ns1 and ns2.bar.org).

Name server now has a conundrum:  It needs to query ns1.bar.org or ns2.bar.org, but it doesn't have A or AAAA records (e.g. IP addresses) for either.  But in order to get the IP addresses, it needs to query a name server for bar.org ... which it still doesn't have an IP address for.  Endless loop.  This is a circular dependency, or a "chicken vs. egg situation".  The solution:  Glue records.
5.The .org name server returns A and/or AAAA records for ns1.bar.org and/or ns2.bar.org.  Note carefully that these are host records that should only be living in the bar.org domain's name servers, but the .org name server is actually returning them.  These are called glue records.  It provides the informational glue between a parent and child domain, gluing them together, if you will, thus solving the circular dependency.
6.Name server queries ns1 or ns2.bar.org for the A or AAAA for foo.bar.org.

Note that the info need not be in a TLD name server to be considered glue.  Glue is required in any domain for which this circular dependency exists.  For instance, in the above example, if you replace the host "foo.bar.com" with "baz.foo.bar.com", and the NS for the domain "foo.bar.com" is "ns.foo.bar.com", then the "bar.com" name server must list an A or AAAA (glue) record for the NS "ns.foo.bar.com" for resolution to succeed.

Now, as far as the sage test goes, I'm not sure how it differs from that above definition/explanation.  Broquea did say that the name server could be out of bailiwick, which means that it doesn't have to be under the "eu.org" domain in your case.  So I believe that means that the test script enumerates a list of name servers for your domain, and that one of those servers must have IPv6 glue records in its parent domain's name servers.  I'm not sure if this parent domain must be a TLD or not.  Whether it enumerates the list of name servers by directly calling the TLD name servers, or whether it does it with a normal recursive query is the question here.  If the former, then it means that your domain must be a second level domain, since the TLD servers wont have any information about subdomains of second-level domain (i.e. xyz.eu.org).  If the latter, it means that you just need to get IPv6 glue for your subdomain's name servers on your parent domain's name severs and you're golden.  In other words, if this is true, you need to get an AAAA record for your name server (say, ns.xyz.eu.org) onto the name servers for "eu.org".

I notice that the "eu.org" domain does have an IPv6 name server called "ns-v6.eu.org", and that this server does have an IPv6 AAAA glue record on the ".org" name servers.  So, it may be possible to list "ns-v6.eu.org" as a name server for your domain (which I believe would technically be an "out of bailiwick" situation?), if you can get the eu.org people to be a secondary (slave) NS for your subdomain. 

Actually, I'm not even sure if the HE sage test script will even attempt to query that name server.  It may be happy simply seeing an NS record for your domain which has IPv6 glue in its parent domain's name servers, period.  But that'd be a bit of a cheat, IMHO.

Hope this helps.   ;D

ejlilley

Thanks for your comprehensive explanation  :) -- I think I understand it now:
there need to be glue records all the way down the chain of subdomains (.org -> eu.org -> ugnus.uk.eu.org), and you've noticed that there is glue for .org -> eu.org, so I need to ask eu.org to add glue which points at one of my nameservers (either xname or my own personal DNS server). Or I could ask ns-v6.eu.org to *be* my nameserver? (is that a different possibility, or am I getting confused again?)
Anyway, thanks for your help!

jimb

Not quite.  There needs to be IPv6 glue records specifically for one of the DNS servers which is authoritative for your domain.  E.g. one of the servers which has a full copy of your DNS zone and is listed as an "NS" in your zone files for your domain.

I mentioned ns-v6.eu.org because it's an IPv6 name server which has glue records in the .org name servers.  If it's possible to utilize this particular server as a name server for your domain, it should pass the "sage" test.

snarked

Note that ALL address records in the ROOT zone are glue.  If they weren't there, no TLD would be resolvable.

A glue record (for a name server) appears ONLY when that name server is within or below a zone it serves.

ejlilley

Right.
And in the file that bind reads do they look like normal A/AAAA records?

snarked


ejlilley

I now have glue in eu.org's nameservers -- an AAAA record for beta.ugnus.uk.eu.org, which is one of the nameservers for ugnus.uk.eu.org. eu.org's IPv6 nameserver, (ns-v6.eu.org), itself has glue at the .org registry -- so 2 levels of glue are now present & correct. However, the Sage test doesn't work -- it doesn't seem to be able to handle 2 levels of glue...I think this is quite unfair, so could HE please remedy this :D

jimb

Hrm.  I actually had thought your domain was directly under eu.org.  But it's actually under uk.eu.org. 

The name servers for uk.eu.org are NS.eu.org, and NS0.PLIG.NET.  ns.eu.org has an ipv6 address as well as an ipv4.  However, it does not have glue on the .org TLD servers.  This might be why the test is failing.  I can't really say without looking at the PHP code though.   :P

Also, ns.eu.org and ns-v6.eu.org are the same server.  They have the same IPv6 address.  If eu.org listed ns-v6.eu.org as a server for uk.eu.org, it might work.  Again, not sure.  It's all up to the vagaries of the PHP sage test script.  :)

Following down the chain, I've verified that the uk.eu.org name servers do have glue for your beta.ugnus.uk.eu.org name server.