• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

ipv6 certification and rdns

Started by digidoc, December 20, 2010, 09:28:05 AM

Previous topic - Next topic

digidoc

hello forum

at the moment i think i have a working rdns setup but when i go through the steps of the certification
the step after the ipv6 email verification fails on rdns for the mail server
if i check it myself manually all seems well
am i missing something here?
regards
hoyte swager

(query for delegation)

imac:bin root# dig @ns1.he.net -x 2001:470:1f15:109f::

; <<>> DiG 9.7.2-P3 <<>> @ns1.he.net -x 2001:470:1f15:109f::
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60088
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; AUTHORITY SECTION:
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns1.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns2.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns3.digi.nl.

;; Query time: 163 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Mon Dec 20 17:22:38 2010
;; MSG SIZE  rcvd: 151


(query for nameservers of revers zone)

imac:bin root# dig @ns1.digi.nl. f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. any

; <<>> DiG 9.7.2-P3 <<>> @ns1.digi.nl. f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. any
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23669
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN ANY

;; ANSWER SECTION:
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN SOA   f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. tech.digi.nl. 2010121803 86400 1800 172800 259200
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns3.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns1.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns2.digi.nl.

;; ADDITIONAL SECTION:
ns1.digi.nl.      3600   IN   A   62.93.240.6
ns1.digi.nl.      3600   IN   AAAA   2001:470:1f15:109f::6
ns2.digi.nl.      3600   IN   A   78.108.138.42
ns3.digi.nl.      3600   IN   A   62.93.194.182

;; Query time: 26 msec
;; SERVER: 2001:470:1f15:109f::6#53(2001:470:1f15:109f::6)
;; WHEN: Mon Dec 20 17:23:04 2010
;; MSG SIZE  rcvd: 236



(query for revverse of mx)

imac:bin root# dig @ns1.digi.nl. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ptr

; <<>> DiG 9.7.2-P3 <<>> @ns1.digi.nl. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ptr
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30695
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN PTR   mx1.digi.nl.

;; AUTHORITY SECTION:
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns2.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns1.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN NS ns3.digi.nl.

;; ADDITIONAL SECTION:
ns1.digi.nl.      3600   IN   A   62.93.240.6
ns1.digi.nl.      3600   IN   AAAA   2001:470:1f15:109f::6
ns2.digi.nl.      3600   IN   A   78.108.138.42
ns3.digi.nl.      3600   IN   A   62.93.194.182

;; Query time: 22 msec
;; SERVER: 2001:470:1f15:109f::6#53(2001:470:1f15:109f::6)
;; WHEN: Mon Dec 20 17:24:11 2010
;; MSG SIZE  rcvd: 245


cholzhauer

What is the address of your mail server?

digidoc


cholzhauer

That doesn't show as being a mail server for your domain



[carl@mars ~]$ dig mx digi.nl

; <<>> DiG 9.6.2-P2 <<>> mx digi.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39483
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;digi.nl.                       IN      MX

;; ANSWER SECTION:
digi.nl.                3559    IN      MX      20 mx2.digi.nl.
digi.nl.                3559    IN      MX      5 mail.digi.nl.

;; ADDITIONAL SECTION:
mx2.digi.nl.            3600    IN      A       78.108.138.43
mail.digi.nl.           3600    IN      A       193.26.9.58

;; Query time: 715 msec
;; WHEN: Mon Dec 20 16:05:18 2010
;; MSG SIZE  rcvd: 98


The MX records listed don't have IPv6 addresses.

RDNS looks correct though



[carl@mars ~]$ host mx1.digi.nl
mx1.digi.nl has address 62.93.240.5
mx1.digi.nl has IPv6 address 2001:470:1f15:109f::5
[carl@mars ~]$ host 2001:470:1f15:109f::5
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer mx1.digi.nl.

digidoc

I used hoyte@hoyte.nl for the successful ipv6 email cert test
all names/numbers involved in dns seem ok
any suggestions?
regards
hoyte

imac:bin root# dig hoyte.nl mx +short
10 mx1.digi.nl.

imac:bin root# dig mx1.digi.nl aaaa +short
2001:470:1f15:109f::5

imac:bin root# dig -x 2001:470:1f15:109f::5 +short
mx1.digi.nl.

cholzhauer

I guess I'm confused then...you've already passed the email test?  Which test are you working on now? RDNS?

HE doesn't know about any of your stuff though


[carl@mars ~]$ dig -x 2001:470:1f15:109f::5 +short @ns2.he.net
[carl@mars ~]$
[carl@mars ~]$ dig mx1.digi.nl aaaa +short @ns2.he.net
[carl@mars ~]$
[carl@mars ~]$ dig hoyte.nl mx +short @ns2.he.net
[carl@mars ~]$

digidoc

mmhh
strange that the he servers have not picked up on my servers
do you think they need AXFR access?
anyway, in certification i am now at the step which has the following text:

Professional
Congratulations, you are an IPv6 Administrator! The next step after getting your IPv6 Email working is to setup Reverse DNS for the mail server's IP. What you will need is:

    * An IPv6 enabled mail system, with working RDNS.

Step    Description    Data
1    Check if your mail server has working rDNS

if i push the button i get:

Your MX does not appear to have working RDNS

regards,
hoyte

digidoc

if i check that ns2.he.net server for the glue records towards the reverse zone they appear to be there:

imac:bin root# dig @ns2.he.net. f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ns +short
ns2.digi.nl.
ns3.digi.nl.
ns1.digi.nl.

and all my servers resolve the ipv6 address of mx1.digi.nl correctly:

imac:bin root# dig @ns1.digi.nl. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ptr +short
mx1.digi.nl.
imac:bin root# dig @ns2.digi.nl. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ptr +short
mx1.digi.nl.
imac:bin root# dig @ns3.digi.nl. 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ptr +short
mx1.digi.nl.

???
regards
hoyte

cholzhauer

How long ago did you make the DNS changes?  It's possible that the changes have not propagated yet.  If it's been a while, you might need to email IPv6@he.net so they can kick their servers into working

kriteknetworks

dig digi.nl mx

; <<>> DiG 9.7.1-P2 <<>> digi.nl mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35148
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;digi.nl.         IN   MX

;; ANSWER SECTION:
digi.nl.      3600   IN   MX   5 mail.digi.nl.
digi.nl.      3600   IN   MX   20 mx2.digi.nl.

-----------------------------------------------------------------------------

dig aaaa mail.digi.nl

; <<>> DiG 9.7.1-P2 <<>> aaaa mail.digi.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32117
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;mail.digi.nl.         IN   AAAA

;; ANSWER SECTION:
mail.digi.nl.      3600   IN   AAAA   2001:470:e006:64::c11a:93a

---------------------------------------------------------------------------------------------------------------------

dig -x 2001:470:1f15:109f::6

; <<>> DiG 9.7.1-P2 <<>> -x 2001:470:1f15:109f::6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32592
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN PTR   ns1.digi.nl.


ns1.digi.nl is not listed as an MX.....

digidoc

response to cholzhauer
this was all setup yesterday with ttl of 1h so should have gotten through
i will mail ipv6@he.net about it
if i query the he2 server it does redirect to my nameservers though for reverse lookups of that range
maybe the certification software is using old cache entries or something

response to kriteknetworks
the email domain used in the cert test was hoyte.nl which uses mx1.digi.nl for mail exchanger
(seel previous posts for dig listings)

reponse to both
i really appreciate the effort this forum makes to help me in these early steps
thx!
regards
hoyte



imac:bin root# dig -x 2001:470:1f15:109f::5 @ns2.he.net.

; <<>> DiG 9.7.2-P3 <<>> -x 2001:470:1f15:109f::5 @ns2.he.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25762
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; AUTHORITY SECTION:
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns1.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns2.digi.nl.
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS ns3.digi.nl.

;; Query time: 494 msec
;; SERVER: 2001:470:200::2#53(2001:470:200::2)
;; WHEN: Tue Dec 21 17:44:15 2010
;; MSG SIZE  rcvd: 151


broquea


digidoc

whoah! that is quick!
now it works, i can get on to the next level
thank you very much for the quick response!
regards
hoyte swager

bluug

#13
Hello,
I have a similar problem - after reading a "Your MX does not appear to have working RDNS " message, I tried and successfully used only IPv6 to send and receive a test-mail (I used this facility, and checked my logs to confirm it was an IPv6 connection), yet the test returns the message as if the mail-server has no working RDNS. The domain is bluug.org. Is it the same problem, or am I missing something specific to my set-up?

17.03.2011. edit: sorry, it was a Bind misconfiguration problem. All well now.

snarked

Quote...
;; ANSWER SECTION:
f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 259200 IN SOA   f.9.0.1.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. tech.digi.nl. 2010121803 86400 1800 172800 259200
...
The SOA record is incorrect.  The first data field needs to be a name server, not the zone itself.