Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: What is at 2001:470:47:13::2 and why is it attempting to AXFR my zone?  (Read 2799 times)

snarked

  • Hero Member
  • *****
  • Posts: 623
    • View Profile

From my syslog:
Quote
May  5 00:48:55 snarked named[903]: client 2001:470:47:13::2#14313 (x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa): zone transfer 'x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa/AXFR/IN' denied
I'm getting this about every 30 seconds (with varying source port numbers; actual zone masked for public posting, but it's my tunnel #2 allocation).

HE's whois service shows that this is an HE internal address, not a tunnel delegation.

AXFR access is permitted to ns1.he.net (216.218.130.2 and 2001:470:100::2) so that the DNS service can pick it up for "secondary" service.

From the DNS service page about the zone:
Quote
Domain name  x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa
Type SLAVE
Master(s) 2001:470:...  (In my tunnel#1 allocation as that's where my DNS server is)
Last successful check  2012-05-04 12:47:07 (176038 seconds ago.)
Last status change  2012-05-04 12:47:46

As 2001:470:47:13::2 is not the address of one of your 5 name servers, what is its purpose for wanting the zone?

PS:  The zone in question is not (yet) DNSSEC signed.  It will be signed when next updated.
Logged

broquea

  • Sr. Network Engineer, AS19733
  • Hero Member
  • *****
  • Posts: 1483
    • View Profile
    • Another IPv6 Blog...

Looks like a facility-specific machine:

2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.1.0.0.7.4.0.0.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer ns1-fmt2.he.net.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 623
    • View Profile

OK, but as I'm a tunnelbroker user and not in one of your facilities, why does it want to AXFR my zone?  It's not one of ns[1-5].he.net nor is it documented to grant it access anywhere....
Logged

broquea

  • Sr. Network Engineer, AS19733
  • Hero Member
  • *****
  • Posts: 1483
    • View Profile
    • Another IPv6 Blog...

Ask dnsadmin@he.net ?

I'd guess that this is one of the many ns1.he.net machines or whatever trickery was used to deflect the onslaught of hate against the nameservers.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 623
    • View Profile

OK, but that doesn't seem to justify allowing AXFR permssion to that IPv6 address....
Logged

broquea

  • Sr. Network Engineer, AS19733
  • Hero Member
  • *****
  • Posts: 1483
    • View Profile
    • Another IPv6 Blog...
Logged

snarked

  • Hero Member
  • *****
  • Posts: 623
    • View Profile

Mail sent.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 623
    • View Profile

Matter resolved via e-mail.  It was a misconfiguration and should have been from 2001:470:100::2.
Logged