• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Guru question

Started by tobind, May 16, 2011, 11:14:22 AM

Previous topic - Next topic

tobind

Check to see that the nameservers are IPv6 accessible.

I've checked and we have 5 nameservers answering for our domain.  2 do not have AAAA records while the others do.  Is this why it is failing? 

cholzhauer

i dont have a way to test, but yes, it's a crapshoot as to which server is queried.  so, depending on which one answers, the test might see the one with only an A record

johnpoz

#2
what is the domain and record in question, and then we can test.

But exactly its if there is more than 1 NS for a domain, and some of these name servers do not have all the same records your just throwing the dice every time a query is made if you hit the NS with the record you want.

Simple test you can do is with dig and +trace so you see exactly what is going on.  So for example asking for ipv6.google.com AAAA

; <<>> DiG 9.7.3 <<>> ipv6.google.com AAAA +trace
<snipped>
;; Received 493 bytes from 192.112.36.4#53(g.root-servers.net) in 163 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
;; Received 169 bytes from 192.52.178.30#53(k.gtld-servers.net) in 141 ms

ipv6.google.com.        604800  IN      CNAME   ipv6.l.google.com.
ipv6.l.google.com.      300     IN      AAAA    2001:4860:b007::67
;; Received 82 bytes from 216.239.32.10#53(ns1.google.com) in 34 ms

So in the above case you see that if found 4 NS for google.com and this time it asked ns1.google.com

But did it a few more times and this time it asked ns3.google.com

;; Received 169 bytes from 192.54.112.30#53(h.gtld-servers.net) in 139 ms

ipv6.google.com.        604800  IN      CNAME   ipv6.l.google.com.
ipv6.l.google.com.      300     IN      AAAA    2001:4860:b007::67
;; Received 82 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms

You need to make sure all NS for your domain have ALL the records you want to respond with, or you need to pull out the NS that do not have the all the records.

You can have major problems if your NS are anycast and specific ones normally will always respond first based upon where your doing the query from - so you might always hit the ones that have the record, or maybe your closer to one that does not have the record and it always answers so you never get the answer you want for that record.  ALL NS listed for a domain should have ALL the records!!


tobind

Thanks.  Yeah it appears that for some reason the A NS are the only ones answering or it checks all and finds that some are A only.  Question 2 is always a success and Question 3 is always a failure.  Q3 comes back with "Couldn't query name server"  I did do the dig and and did get a variety of ns as you did above.  I tried quite a few times on the test but it always failed.  I wish the failures would give detailed information. 

johnpoz

fix your nameservers for the domain your using is the solution.

What domain are you using?  Are you saying one of the NS does not even answer? 

Happy to help you further but need to know what domain your using and what record your looking for.  But yeah you need to fix your dns to allow for outside to query the records.

Keep in mind that if a outside person/service goes to lookup up your record and it picks say NS3 in your list and this is the one that does not answer - it will cache that NS record for the duration of the TTL, and will never go ask again for different NS to use until that TTL expires on the NS record.  So did it cache all of them so it can roundrobin to the different ones or did only get the bad ones cached??

If you post or PM your domain and record your having issues with I would be happy to take a closer look at tell you how to fix it.