• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Guru Test part3 broken?? [SOLVED]

Started by mfausett, March 07, 2011, 06:14:08 AM

Previous topic - Next topic

mfausett

I have a synthetic setup just for certification;  NS1.turnbridge.org. and NS3.turnbridge.org. with A,AAAA,MX and NS delegations for NS2.turnbridge.org - no machine, just a subdomain.

On the #3 in the Guru test I get the complaint that nameservers aren't accessible, however when I trace the nameservers, I clearly see a pair of v6 queries, one on each nameserver: (only one below, they're nearly identical).
---------------------------
client @0x7fed6817d120: udprecv
client 2001:470:0:64::2#34702: UDP request
client 2001:470:0:64::2#34702: request is not signed
client 2001:470:0:64::2#34702: recursion not available
client 2001:470:0:64::2#34702: query
client 2001:470:0:64::2#34702: query 'ns2.turnbridge.org/AAAA/IN' approved
client 2001:470:0:64::2#34702: send
client 2001:470:0:64::2#34702: sendto
client 2001:470:0:64::2#34702: senddone
client 2001:470:0:64::2#34702: next
client 2001:470:0:64::2#34702: endrequest
-----------------------------------------
2001:470:0:64::2 --
> 2001:470:0:64::2
Server:  ns1.he.net
Address:  216.218.130.2

Name:    ipv6.he.net
Address:  2001:470:0:64::2
-------------------------

I don't see any other requests; the two servers can and do talk ipv6 to each other with wild abandon, and clearly get requests from HE.
The only thing I can think of now, is that I have recursion turned off... but that seems like I'm grasping at straws.

What am I missing??
I've included the zone files, and named.conf below for reference.

Thanks
Mark F.

-----------
Guru

Congratulations, you are an IPv6 Professional! To complete the Guru Test you will need:
The Name Servers for ns2.turnbridge.org need to have a AAAA records
Those Name Servers need to respond to queries made via IPv6


[Reset Test]
Help   Step   Description   Data
*   1   If you need to edit off any subdomains to make it work, please do so here:   
*   2   Check to see that the nameservers associated with ns2.turnbridge.org have IPv6 AAAAs    Success
*   3   Check to see that the nameservers associated with ns2.turnbridge.org are IPv6 accessible    Couldn't query name server

-------------
The Turnbridge.org domain zone file:
$ORIGIN .
$TTL 3600       ; 1 hour
turnbridge.org          IN SOA  rackspace.fausett.us. root.rackspace.fausett.us. (
                               2011030307 ; serial
                               900        ; refresh (15 minutes)
                               300        ; retry (5 minutes)
                               604801     ; expire (1 week 1 second)
                               3600       ; minimum (1 hour)
                               )
$TTL 1800       ; 30 minutes
                       NS      ns1.turnbridge.org.
                       NS      ns3.turnbridge.org.
                       MX      10 ns1.turnbridge.org.
$ORIGIN turnbridge.org.
mtk                     AAAA    2001:470:8:b8b::1
ns1                     A       50.56.81.117
                       MX      10 ns1
                       AAAA    2001:470:1f11:d04::1
ns2                     NS      ns1
                       NS      ns3
$ORIGIN ns2.turnbridge.org.
ns1                     A       50.56.81.117
                       AAAA    2001:470:1f11:d04::1
$ORIGIN turnbridge.org.
ns3                     A       50.56.82.223
                       MX      10 ns1
                       AAAA    2001:470:1f11:d19::1
--------------
ns2.turnbridge.org.
--------------
$ORIGIN .
$TTL 3600       ; 1 hour
ns2.turnbridge.org      IN SOA  ns1.ns2.turnbridge.org. root.ns1.ns2.turnbridge.
org. (
                               2011030307 ; serial
                               900        ; refresh (15 minutes)
                               300        ; retry (5 minutes)
                               604801     ; expire (1 week 1 second)
                               3600       ; minimum (1 hour)
                               )
$TTL 1800       ; 30 minutes
                       NS      ns1.turnbridge.org.
                       NS      ns3.turnbridge.org.
$ORIGIN ns2.turnbridge.org.
ns1                     A       50.56.81.117
                       MX      10 ns1.turnbridge.org.
                       AAAA    2001:470:1f11:d04::1
------------------
named.conf
------------------
options {
       listen-on port 53 { 127.0.0.1; 50.56.82.223; };
       listen-on-v6 port 53 { ::1; 2001:470:1f11:d19::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
       recursion no;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity debug 3;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "turnbridge.org" {
       type slave;
       file "/var/named/data/turnbridge.org";
       masters { 50.56.81.117; };
};
zone "ns2.turnbridge.org" {
       type slave;
       file "/var/named/data/ns2.turnbridge.org";
       masters { 50.56.81.117; 2001:470:1f11:d04::1; };
};

snarked

Missing glue and nameserver for "ns3.ns2.turnbridge.org."

mfausett

I think I've fixed these, but still failing #3.
I can't quite figure out what's being tested in the Guru test;  I see fetches of the AAAA records, via V6, then nothing;
Could I get a hint on what queries are being performed, so that i can test and debug the name server to remediate, rather than reverse engineering the test by trial and error?

thanks!
mf

mfausett

ARGH;  you *require* an address record for the domain itself.
I've got it now;  the videos referenced in the FAQ helped.  But something referencing what failed in the test would have saved a lot of time.
Thanks,

mf