Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Guru Test part3 broken?? [SOLVED]  (Read 4579 times)

mfausett

  • Newbie
  • *
  • Posts: 3
Guru Test part3 broken?? [SOLVED]
« on: March 07, 2011, 06:14:08 AM »

I have a synthetic setup just for certification;  NS1.turnbridge.org. and NS3.turnbridge.org. with A,AAAA,MX and NS delegations for NS2.turnbridge.org - no machine, just a subdomain.

On the #3 in the Guru test I get the complaint that nameservers aren't accessible, however when I trace the nameservers, I clearly see a pair of v6 queries, one on each nameserver: (only one below, they're nearly identical).
---------------------------
client @0x7fed6817d120: udprecv
client 2001:470:0:64::2#34702: UDP request
client 2001:470:0:64::2#34702: request is not signed
client 2001:470:0:64::2#34702: recursion not available
client 2001:470:0:64::2#34702: query
client 2001:470:0:64::2#34702: query 'ns2.turnbridge.org/AAAA/IN' approved
client 2001:470:0:64::2#34702: send
client 2001:470:0:64::2#34702: sendto
client 2001:470:0:64::2#34702: senddone
client 2001:470:0:64::2#34702: next
client 2001:470:0:64::2#34702: endrequest
-----------------------------------------
2001:470:0:64::2 --
> 2001:470:0:64::2
Server:  ns1.he.net
Address:  216.218.130.2

Name:    ipv6.he.net
Address:  2001:470:0:64::2
-------------------------

I don't see any other requests; the two servers can and do talk ipv6 to each other with wild abandon, and clearly get requests from HE.
The only thing I can think of now, is that I have recursion turned off... but that seems like I'm grasping at straws.

What am I missing??
I've included the zone files, and named.conf below for reference.

Thanks
Mark F.

-----------
Guru

Congratulations, you are an IPv6 Professional! To complete the Guru Test you will need:
The Name Servers for ns2.turnbridge.org need to have a AAAA records
Those Name Servers need to respond to queries made via IPv6


[Reset Test]
Help   Step   Description   Data
*   1   If you need to edit off any subdomains to make it work, please do so here:   
*   2   Check to see that the nameservers associated with ns2.turnbridge.org have IPv6 AAAAs    Success
*   3   Check to see that the nameservers associated with ns2.turnbridge.org are IPv6 accessible    Couldn't query name server

-------------
The Turnbridge.org domain zone file:
$ORIGIN .
$TTL 3600       ; 1 hour
turnbridge.org          IN SOA  rackspace.fausett.us. root.rackspace.fausett.us. (
                                2011030307 ; serial
                                900        ; refresh (15 minutes)
                                300        ; retry (5 minutes)
                                604801     ; expire (1 week 1 second)
                                3600       ; minimum (1 hour)
                                )
$TTL 1800       ; 30 minutes
                        NS      ns1.turnbridge.org.
                        NS      ns3.turnbridge.org.
                        MX      10 ns1.turnbridge.org.
$ORIGIN turnbridge.org.
mtk                     AAAA    2001:470:8:b8b::1
ns1                     A       50.56.81.117
                        MX      10 ns1
                        AAAA    2001:470:1f11:d04::1
ns2                     NS      ns1
                        NS      ns3
$ORIGIN ns2.turnbridge.org.
ns1                     A       50.56.81.117
                        AAAA    2001:470:1f11:d04::1
$ORIGIN turnbridge.org.
ns3                     A       50.56.82.223
                        MX      10 ns1
                        AAAA    2001:470:1f11:d19::1
--------------
ns2.turnbridge.org.
--------------
$ORIGIN .
$TTL 3600       ; 1 hour
ns2.turnbridge.org      IN SOA  ns1.ns2.turnbridge.org. root.ns1.ns2.turnbridge.
org. (
                                2011030307 ; serial
                                900        ; refresh (15 minutes)
                                300        ; retry (5 minutes)
                                604801     ; expire (1 week 1 second)
                                3600       ; minimum (1 hour)
                                )
$TTL 1800       ; 30 minutes
                        NS      ns1.turnbridge.org.
                        NS      ns3.turnbridge.org.
$ORIGIN ns2.turnbridge.org.
ns1                     A       50.56.81.117
                        MX      10 ns1.turnbridge.org.
                        AAAA    2001:470:1f11:d04::1
------------------
named.conf
------------------
options {
        listen-on port 53 { 127.0.0.1; 50.56.82.223; };
        listen-on-v6 port 53 { ::1; 2001:470:1f11:d19::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "turnbridge.org" {
        type slave;
        file "/var/named/data/turnbridge.org";
        masters { 50.56.81.117; };
};
zone "ns2.turnbridge.org" {
        type slave;
        file "/var/named/data/ns2.turnbridge.org";
        masters { 50.56.81.117; 2001:470:1f11:d04::1; };
};
« Last Edit: March 11, 2011, 11:38:53 AM by mfausett »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 813
Re: Guru Test part3 broken??
« Reply #1 on: March 07, 2011, 12:13:58 PM »

Missing glue and nameserver for "ns3.ns2.turnbridge.org."
Logged

mfausett

  • Newbie
  • *
  • Posts: 3
Re: Guru Test part3 broken??
« Reply #2 on: March 11, 2011, 11:22:04 AM »

I think I've fixed these, but still failing #3.
I can't quite figure out what's being tested in the Guru test;  I see fetches of the AAAA records, via V6, then nothing;
Could I get a hint on what queries are being performed, so that i can test and debug the name server to remediate, rather than reverse engineering the test by trial and error?

thanks!
mf
Logged

mfausett

  • Newbie
  • *
  • Posts: 3
Re: Guru Test part3 broken??
« Reply #3 on: March 11, 2011, 11:38:13 AM »

ARGH;  you *require* an address record for the domain itself.
I've got it now;  the videos referenced in the FAQ helped.  But something referencing what failed in the test would have saved a lot of time.
Thanks,

mf
Logged