• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Sage test - revisited...

Started by ricky011, January 28, 2014, 07:43:47 AM

Previous topic - Next topic

ricky011

I trying to get to Sage, and am stuck on the last test, with a rather cryptic message "Delegation chain not complete for IPv6-only"
The domain I'm using is ipv6.in.rs

I've looked at this for a few hours, while at work, so maybe not close enough, but if somebody would be kind enough to point me to a solution or in a right direction, what am I doing wrong, I'd be very thankfull... :)

Thanks!

broquea

You created host records that point to ns1/ns2.he.net inside your own domain, which is kind of weird. If you are using dns.he.net, just use the out-of-baliwick state you created. Otherwise I assume the ipv6-only chain is broken by the 4 authoritative name servers for in.rs:

in.rs.                  3600    IN      NS      odisej.telekom.rs.
in.rs.                  3600    IN      NS      ns1.rnids.rs.
in.rs.                  3600    IN      NS      ns2.rnids.rs.
in.rs.                  3600    IN      NS      ns1.nic.rs.

:~$ host odisej.telekom.rs.
odisej.telekom.rs has address 195.178.32.2
:~$ host ns1.rnids.rs.
ns1.rnids.rs has address 91.199.17.59
:~$ host ns2.rnids.rs.
ns2.rnids.rs has address 91.199.17.60
:~$ host ns1.nic.rs.
ns1.nic.rs has address 147.91.8.6


Clearly these 4 have no IPv6 associated with them, where as the nic.rs servers do.

kasperd

Quote from: ricky011 on January 28, 2014, 07:43:47 AMI trying to get to Sage, and am stuck on the last test, with a rather cryptic message "Delegation chain not complete for IPv6-only"
The domain I'm using is ipv6.in.rs
Going through the resolution process manually, I make it to this point:$ dig +norecurse -t aaaa ipv6.in.rs @f.nic.rs.

; <<>> DiG 9.8.1-P1 <<>> +norecurse -t aaaa ipv6.in.rs @f.nic.rs.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1007
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 3

;; QUESTION SECTION:
;ipv6.in.rs.                    IN      AAAA

;; AUTHORITY SECTION:
in.rs.                  3600    IN      NS      ns1.rnids.rs.
in.rs.                  3600    IN      NS      odisej.telekom.rs.
in.rs.                  3600    IN      NS      ns2.rnids.rs.
in.rs.                  3600    IN      NS      ns1.nic.rs.

;; ADDITIONAL SECTION:
ns1.nic.rs.             3600    IN      A       147.91.8.6
ns1.rnids.rs.           3600    IN      A       91.199.17.59
ns2.rnids.rs.           3600    IN      A       91.199.17.60

;; Query time: 42 msec
;; SERVER: 2001:500:14:6032:ad::1#53(2001:500:14:6032:ad::1)
;; WHEN: Tue Jan 28 16:57:49 2014
;; MSG SIZE  rcvd: 169
The DNS servers responsible for rs. do have IPv6 support, and once I query it (non-recursively) for ipv6.in.rs, it will point me towards the authoritative DNS servers responsible for the in.rs domain. Knowing just the names of the servers I need to communicate with at the next step is insufficient, since I'd need to know their address in order to ask them what their address is. That is why the reply I got contains not just the names, but also the IP addresses. This is known as glue records.

For the next step of resolution, an IPv6-only DNS resolver will use one of the AAAA records in the additional section of the reply. Unfortunately, there are no AAAA records. One of the names is outside the in.rs domain, so an IPV6-only DNS resolver would not give up just yet, but if it proceeds with trying the alternative, it will run into the same problem again. So what you need to do in order to proceed is to either get IPv6 support on one of those four name servers hosting the in.rs zone or replicate the zone to another DNS server, which does have IPv6 support. If upgrading one of those four DNS servers to have IPv6 support is not an option, you could instead try using the DNS service offered by HE.

ricky011

thank you all, I'm a SAGE now :) but no thanks to my national domain registrar...

in the end I figured I'd be better off using an .INFO domain, which proved to be true, all Sage checks passed instantly...

waiting for my T-shirt now :)

once again, thanks!