Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Guru Cert test failing  (Read 7073 times)

shinji

  • Newbie
  • *
  • Posts: 3
Guru Cert test failing
« on: March 12, 2012, 10:03:20 PM »

For some reason it is failing and I have no clue why.  I ran the commands manually and it should be good.  Results below and you can verify them as well.

shinji257@phnompenh:~$ dig ns icarus.robertpendell.com

; <<>> DiG 9.6-ESV-R4 <<>> ns icarus.robertpendell.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57537
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;icarus.robertpendell.com.      IN      NS

;; ANSWER SECTION:
icarus.robertpendell.com. 291   IN      NS      lily.ns.cloudflare.com.
icarus.robertpendell.com. 291   IN      NS      greg.ns.cloudflare.com.

;; Query time: 2 msec
;; SERVER: 66.33.216.127#53(66.33.216.127)
;; WHEN: Mon Mar 12 21:55:23 2012
;; MSG SIZE  rcvd: 94

shinji257@phnompenh:~$ dig aaaa lily.ns.cloudflare.com

; <<>> DiG 9.6-ESV-R4 <<>> aaaa lily.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28185
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;lily.ns.cloudflare.com.                IN      AAAA

;; ANSWER SECTION:
lily.ns.cloudflare.com. 86400   IN      AAAA    2400:cb00:2049:1::adf5:3a82

;; Query time: 31 msec
;; SERVER: 66.33.216.127#53(66.33.216.127)
;; WHEN: Mon Mar 12 21:56:03 2012
;; MSG SIZE  rcvd: 68

shinji257@phnompenh:~$ dig @2400:cb00:2049:1::adf5:3a82 aaaa icarus.robertpendell.com

; <<>> DiG 9.6-ESV-R4 <<>> @2400:cb00:2049:1::adf5:3a82 aaaa icarus.robertpendell.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40069
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;icarus.robertpendell.com.      IN      AAAA

;; ANSWER SECTION:
icarus.robertpendell.com. 30    IN      AAAA    2600:3c03::f03c:91ff:fedf:be22

;; Query time: 32 msec
;; SERVER: 2400:cb00:2049:1::adf5:3a82#53(2400:cb00:2049:1::adf5:3a82)
;; WHEN: Mon Mar 12 22:01:34 2012
;; MSG SIZE  rcvd: 70
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1731
Re: Guru Cert test failing
« Reply #1 on: March 12, 2012, 10:27:39 PM »

When did you add the AAAA records? It is probably negatively cached as not having AAAA on the recursor the machine uses for queries. I'm seeing TTLs of 86400s
Logged

shinji

  • Newbie
  • *
  • Posts: 3
Re: Guru Cert test failing
« Reply #2 on: March 13, 2012, 05:46:59 AM »

They were there for at least 24 hours.  The odd part was that the first test passed which checks for the AAAA record.  It was the second test that failed to make sure they were accessible and responding via IPv6.  I get "Couldn't query name server" as the response.  As you can see in my log though they are indeed responding via IPv6.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1731
Re: Guru Cert test failing
« Reply #3 on: March 13, 2012, 08:13:46 AM »

Then email ipv6@he.net and have them check. Opening a trouble ticket is better than waiting for someone to maybe check the forums.
« Last Edit: March 13, 2012, 09:09:35 AM by broquea »
Logged

shinji

  • Newbie
  • *
  • Posts: 3
Re: Guru Cert test failing
« Reply #4 on: March 13, 2012, 08:49:03 AM »

Thanks.  I didn't know I could email there.  I've sent them a message.
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 961
Re: Guru Cert test failing
« Reply #5 on: March 14, 2012, 03:50:32 AM »

Is this the test where you need to have working AAAA glue records all the way down? Having that is required to allow an IPv6 only DNS server to look up your domain. You don't have the necessary glue records.

I first tried: dig +norecurse -t aaaa lily.ns.cloudflare.com @$(tr -dc a-m </dev/urandom | head -c1).root-servers.net

That command gave me a single AAAA glue record for com.:
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30

I then tried: dig +norecurse -t aaaa lily.ns.cloudflare.com @2001:503:a83e::2:30

That command gave me two NS records for cloudflare.com. and a single A glue record for each of them:
;; QUESTION SECTION:
;lily.ns.cloudflare.com.                IN      AAAA

;; AUTHORITY SECTION:
cloudflare.com.         172800  IN      NS      dns2.cloudflare.com.
cloudflare.com.         172800  IN      NS      dns3.cloudflare.com.

;; ADDITIONAL SECTION:
dns2.cloudflare.com.    172800  IN      A       173.245.58.99
dns3.cloudflare.com.    172800  IN      A       173.245.59.99

At this point an IPv6 only DNS server wouldn't be able to get any further.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1731
Re: Guru Cert test failing
« Reply #6 on: March 14, 2012, 07:56:56 AM »

Guru isn't about Glue, that would be Sage. Guru is looking up the AAAA records for the auth NS and then querying those for the AAAA record of the URL submitted.
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 961
Re: Guru Cert test failing
« Reply #7 on: March 14, 2012, 02:59:38 PM »

Guru isn't about Glue, that would be Sage.
Oh, right. I didn't recall the exact sequence of tests.

Guru is looking up the AAAA records for the auth NS and then querying those for the AAAA record of the URL submitted.
That comment made me realize exactly what the commands in the initial posting were verifying. However, when I try the sequence of commands from that initial posting, I get a different result.

The first command "dig ns icarus.robertpendell.com" in that posting shows that two NS records are returned. However, when I run the exact same command, I do not get any NS records, only a SOA record because the record does not exist. It is not a caching issue. I also get no NS records for icarus.robertpendell.com when I go directly to the authoritative servers. For the later, I did the sequence of lookups from the root and down ending with "dig +norecurse -t ns icarus.robertpendell.com @173.245.59.115" and "dig +norecurse -t ns icarus.robertpendell.com @173.245.58.130"

So, there really is no NS record for icarus.robertpendell.com, however there is one for robertpendell.com. I did get stuck on the Sage test for a bit due to mixing up the levels of the DNS hierarchy in a similar way. I'm not sure if something similar may be at play at the Guru level.
Logged

R1CH

  • Newbie
  • *
  • Posts: 1
Re: Guru Cert test failing
« Reply #8 on: March 23, 2012, 01:46:22 AM »

I'm also having trouble with this step.

I'm curious if the "If you need to edit off any subdomains to make it work, please do so here" text field actually does anything. I originally started the test with a domain which is in active use so I can't really mess with it too much (such as moving the whole thing to  an IPv6 capable DNS provider!), so I added a subdomain that's a substring of the original domain. I then added an NS record for that subdomain that delegates it to HE DNS (ns2/ns3) and registered the subdomain in HE DNS with a valid AAAA record.

I'm trying to use this new subdomain in the test by entering it into that text field, it passes Step 2, but Step 3 always says "Couldn't query name server ". Everything seems fine when I try from the command line, so I'm wondering if the domain edit field is actually editing the domain that's tested? Has anyone successfully used it before?
Logged

mianosm

  • Newbie
  • *
  • Posts: 8
    • All about me...
Re: Guru Cert test failing
« Reply #9 on: March 25, 2012, 09:11:44 AM »

I'm also having trouble with this step.

I'm curious if the "If you need to edit off any subdomains to make it work, please do so here" text field actually does anything. I originally started the test with a domain which is in active use so I can't really mess with it too much (such as moving the whole thing to  an IPv6 capable DNS provider!), so I added a subdomain that's a substring of the original domain. I then added an NS record for that subdomain that delegates it to HE DNS (ns2/ns3) and registered the subdomain in HE DNS with a valid AAAA record.

I'm trying to use this new subdomain in the test by entering it into that text field, it passes Step 2, but Step 3 always says "Couldn't query name server ". Everything seems fine when I try from the command line, so I'm wondering if the domain edit field is actually editing the domain that's tested? Has anyone successfully used it before?

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)? :(
« Last Edit: March 25, 2012, 09:19:14 AM by mianosm »
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: Guru Cert test failing
« Reply #10 on: March 26, 2012, 05:17:09 AM »

Quote

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)?

You should really start your own thread

With that being said, it looks like you're using the wrong IPv6 address

Code: [Select]

C:\Users\cholzhauer>nslookup 2001:470:4:a23::2

Name:    mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net
Address:  2001:470:4:a23::2
Logged

mianosm

  • Newbie
  • *
  • Posts: 8
    • All about me...
Re: Guru Cert test failing
« Reply #11 on: March 26, 2012, 07:51:04 AM »

Quote

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)?

You should really start your own thread

With that being said, it looks like you're using the wrong IPv6 address

Code: [Select]

C:\Users\cholzhauer>nslookup 2001:470:4:a23::2

Name:    mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net
Address:  2001:470:4:a23::2


My apologies, I thought the reverse was the test before the guru looking at AAAA records. I updated my rDNS through he.net, so hopefully that will update my reverse to report that 2001:470:4:a23::2 is actually ipv6.stevenmiano.com.

Thanks for your time/effort. :-)
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1731
Re: Guru Cert test failing
« Reply #12 on: March 26, 2012, 08:23:56 AM »

2001:470:4:a23::2 will only be mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net (as long as it is associated with your tunnel).

You don't get to change the rDNS records for the tunnel's /64, only the routed /64 and /48.
Logged

mianosm

  • Newbie
  • *
  • Posts: 8
    • All about me...
Re: Guru Cert test failing
« Reply #13 on: March 26, 2012, 03:56:41 PM »

It wasn't the rDNS at all, I understand that you need to setup rDNS on the routed subnets now though, thanks guys. :-)
Logged