• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

"Professional LEVEL" problem: Your MX does not appear to have working RDNS

Started by vincentcheung, October 19, 2011, 07:17:23 AM

Previous topic - Next topic

vincentcheung

hi, I m currently stuck in making my rDNS work.

I'm using Ubuntu for doing this certification. I have bought a Domain vincehome.net from a hosting company and delegate Name server to own set up DNS ns1.vincehome.net.
I didn't use the freeDNS tool provided in HE website.
My first question is: if I have setup my own DNS, do I still need to use HE freeDNS to pass all levels of certification?

The following is the info for my tunnel from HE webpage:
Server IPv4 Address   :216.218.221.42
Server IPv6 Address   :2001:470:35:43a::1/64
Client IPv4 Address    :122.248.206.32
Client IPv6 Address    :2001:470:35:43a::2/64
Routed /64               :2001:470:36:43a::/64

My 2nd question is: to pass "professional" level, do I need to use Route /64 that is assigned to me? (I saw some posts mention HAVE to use it to pass this level)  If yes, how you briefly explain how can I use it in my situation?

My DNS is setup using Bind9 and I think it work correctly because i can receive email and access http://www.vincehome.net
I have performed troubleshooting according to HE video presentation.

root@ip-10-128-139-74:/# dig mx vincehome.net +short
10 mail.vincehome.net.
root@ip-10-128-139-74:/# dig aaaa mail.vincehome.net +short
2001:470:35:43a::2
root@ip-10-128-139-74:/# dig -x 2001:470:35:43a::2 +short
mail.vincehome.net.

root@ip-10-128-139-74:/# cat /etc/resolv.conf
nameserver 2001:470:35:43a::2  <-(ipv6 addr of the machine itself)


Everything looks okay when the first lookup Name Server point to the machine itself.
However if I change Name Sever to my ISP's DNS, dig -x 2001:470:35:43a::2 +short will reply nothing.
for example:

root@ip-10-128-139-74:/# dig mx vincehome.net +short
10 mail.vincehome.net.
root@ip-10-128-139-74:/# dig aaaa mail.vincehome.net +short
2001:470:35:43a::2
root@ip-10-128-139-74:/# dig -x 2001:470:35:43a::2 +short
(No answer)

root@ip-10-128-139-74:/# cat /etc/resolv.conf
nameserver  203.12.160.36 <-(my ISP's DNS)

I also try using online DNS tools(http://www.sput.nl/cgi-bin/nph-rns6-form) to check, the reverse DNS check has no reply.

Apparently the reverse DNS works fine locally but not working globally. Does anyone have any idea what I have done wrong? I have stuck in this certification level for three days already.... getting very impatient now. help me pls~~~

cholzhauer

Quote
My first question is: if I have setup my own DNS, do I still need to use HE freeDNS to pass all levels of certification?

Nope, as long as your DNS server does IPv6, you can use whatever you want

Quote
My 2nd question is: to pass "professional" level, do I need to use Route /64 that is assigned to me?

Yes.  If you use the same subnet as the "client IPv6 address" it won't work because HE doesn't delegate the ability to change the DNS for that

Instead of using 2001:470:35:43a::2 you need to use 2001:470:36:43a::2

vincentcheung

okay... I m still not quite sure how to use 2001:470:36:43a::2 that u mention

do u mean I need to create a new interface on linux and assign 2001:470:36:43a::2 to it?

do it means there are two tunnels, one for 2001:470:36:43a::2 and one for 2001:470:35:43a::2?

at the moment, my domain vincehome.net is associated with 2001:470:35:43a::2,
I have no idea what to do if I create another subnet 2001:470:36:43a::2, do I need to change anything in DNS hosted on linux?

can you shine a light?


cholzhauer

The only thing you need to do different is assign the 2001:470:36:43a::2 to your interface instead of 2001:470:35:43a::2

The 2001:470:36:43a::/64 range is routed to your tunnel by HE.

Your default route should point to 2001:470:35:43a::1

Your tunnel adapter (gif0, whatever) should be 2001:470:35:43a::2

broquea

Actually it looks like rDNS wasn't pushed out on your tunnel's PtP allocation. This should be fixed now, and 2001:470:35:43a::2 should have a PTR record now. However it won't be your domain since we do not delegate rDNS for that block.

vincentcheung

okay..... When I woke up this morning, I decided to try again the test without doing anything and I passed "Professional" and "Guru" straight away. So it had nothing wrong on my side, the info just haven't propagated entirely.

Well... I have to say this Level is really hard to pass because the changes that I made didn't reflect immediately. I had to wait hours or even days to see the effects.
For those who are doing this test, you will feel very confused if you don't know what you are doing.

I also want to share my configuration. I did not use the n1-n5.he.net nor HE freeDNS. I setup my own DNS server by using Ubuntu BIND9 and had the domain name pointed to my DNS straight away.
I did not assign Routed /64 to any of my server interfaces but I made a PTR record for 2001:470:36:43a::2(in my case) point to my domain (don't know if this is the reason I got passed)

---------------------------------------------------------------------------------------------
The following is some instructions from somebody's blog if this make sense to anyone but not to me..


"The assignment for the Professional step in the Hurricane Electric IPv6 Certification program is relatively easy. All we have to do is set up a reverse DNS (often abbreviated rDNS) entry for the email server we set up in the last level. Instead of working like normal DNS where someone takes the Domain name and translates it into an address, reverse DNS takes an address and gives a domain name. While multiple forward DNS entries can point to the same address, a reverse DNS entry can only point to one hostname.

Ok, let's get started.
If you haven't already, we need to set the DNS servers that we want to use to serve reverse DNS entries for our block of IPv6 addresses. Go to tunnelbroker.net and login, then go to the tunnel your email server is on and under the RDNS Delegation click one of the 'none' links. Scroll down and click Delegate to HE.NET nameservers.

Go to dns.he.net and login. Click the Free DNS Edit icon icon by the IPv6 prefix your email server is on. Enter the last part of your email server's IPv6 address (the prefix is already there) and the hostname of the email server, such as mail.yourdomain.com. Click submit.

Now go to the IPv6 certification page and run the test and then fill out the questionnaire. Congratulations, IPv6 professional!"
---------------------------------------------------------------------------------------------------------



Coolmax

Hi,
I didn't want to start a new thread, because I stuck at same point. Indeed, stage is difficult. Maybe because I don't know how this check is done. This is my situation. I set up my mail server on VPS with native IPv6 (starts with 2a00:xxx), but I have no possibility to set PTR records for this IPv6 address. I received mail with code on this server (coolmax at ipv6.jeb.ie). Error I've got is: "Failed to get AAAA from MX or your DOMAIN". I couldn't pass professional stage, so I've changed entries as follows:

root@debian:~# dig MX ipv6.jeb.ie +short
20 mx6.jeb.ie.
root@debian:~# dig AAAA mx6.jeb.ie. +short
2001:470:1f15:a94::20
root@debian:~# dig -x 2001:470:1f15:a94::20 +short
ipv6.jeb.ie.


2001:470:1f15:a94:: is my routed /64 prefix. Am I missing something or don't understand? Maybe I have to wait for refresh? Which DNS servers HE uses to check this, so I can check manually that records are fine?


Edit: Everything is ok.

snarked

Yes, you are missing something:  The fact that your PTR-RR returns "ipv6.jeb.ie" which is not the host name used on your MX-RR ("mx6.jeb.ie").

lfoothome

Quote from: vincentcheung on October 19, 2011, 07:58:18 PM
---------------------------------------------------------------------------------------------
The following is some instructions from somebody's blog if this make sense to anyone but not to me..


"The assignment for the Professional step in the Hurricane Electric IPv6 Certification program is relatively easy. All we have to do is set up a reverse DNS (often abbreviated rDNS) entry for the email server we set up in the last level. Instead of working like normal DNS where someone takes the Domain name and translates it into an address, reverse DNS takes an address and gives a domain name. While multiple forward DNS entries can point to the same address, a reverse DNS entry can only point to one hostname.

Ok, let's get started.
If you haven't already, we need to set the DNS servers that we want to use to serve reverse DNS entries for our block of IPv6 addresses. Go to tunnelbroker.net and login, then go to the tunnel your email server is on and under the RDNS Delegation click one of the 'none' links. Scroll down and click Delegate to HE.NET nameservers.

Go to dns.he.net and login. Click the Free DNS Edit icon icon by the IPv6 prefix your email server is on. Enter the last part of your email server's IPv6 address (the prefix is already there) and the hostname of the email server, such as mail.yourdomain.com. Click submit.

Now go to the IPv6 certification page and run the test and then fill out the questionnaire. Congratulations, IPv6 professional!"
---------------------------------------------------------------------------------------------------------

The above uncited blog quote by vincent did the trick for me after a few days of forum reading it was surprising how simple rdns was .

joelalfredo

Hello, I have the rDNS delegated to he.net, and as far as I can see it´s working fine, but anytime I try this test it gives me this error

Failed to get AAAA from MX or your DOMAIN

Here are some nslookup results about my domain (net6sol.com)

> net6sol.com.
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
net6sol.com     MX preference = 10, mail exchanger = mail.net6sol.com

> set type=aaaa
> mail.net6sol.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    mail.net6sol.com
Address:  2002:b217:d216:2::2

> set type=ptr
> mail.net6sol.com.
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
mail.net6sol.com        name = 2.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.8.0.0.0.1.0.0.0.0.6.d.0.0.0.a.2.ip6.arpa

Could some body tell me what I´m doing wrong? I had passed this test some years ago, but now I reset my certification to change the domain, and I´m stopped here.

Thank you very much,

Joel

cholzhauer

You really should start your own thread



proxy# host net6sol.com
net6sol.com has IPv6 address 2a00:d60:1:8:2::2
net6sol.com mail is handled by 10 mail.net6sol.com.



How long have you waited after configuring?