• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Guru Cert test failing

Started by shinji, March 12, 2012, 10:03:20 PM

Previous topic - Next topic

shinji

For some reason it is failing and I have no clue why.  I ran the commands manually and it should be good.  Results below and you can verify them as well.

shinji257@phnompenh:~$ dig ns icarus.robertpendell.com

; <<>> DiG 9.6-ESV-R4 <<>> ns icarus.robertpendell.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57537
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;icarus.robertpendell.com.      IN      NS

;; ANSWER SECTION:
icarus.robertpendell.com. 291   IN      NS      lily.ns.cloudflare.com.
icarus.robertpendell.com. 291   IN      NS      greg.ns.cloudflare.com.

;; Query time: 2 msec
;; SERVER: 66.33.216.127#53(66.33.216.127)
;; WHEN: Mon Mar 12 21:55:23 2012
;; MSG SIZE  rcvd: 94

shinji257@phnompenh:~$ dig aaaa lily.ns.cloudflare.com

; <<>> DiG 9.6-ESV-R4 <<>> aaaa lily.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28185
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;lily.ns.cloudflare.com.                IN      AAAA

;; ANSWER SECTION:
lily.ns.cloudflare.com. 86400   IN      AAAA    2400:cb00:2049:1::adf5:3a82

;; Query time: 31 msec
;; SERVER: 66.33.216.127#53(66.33.216.127)
;; WHEN: Mon Mar 12 21:56:03 2012
;; MSG SIZE  rcvd: 68

shinji257@phnompenh:~$ dig @2400:cb00:2049:1::adf5:3a82 aaaa icarus.robertpendell.com

; <<>> DiG 9.6-ESV-R4 <<>> @2400:cb00:2049:1::adf5:3a82 aaaa icarus.robertpendell.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40069
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;icarus.robertpendell.com.      IN      AAAA

;; ANSWER SECTION:
icarus.robertpendell.com. 30    IN      AAAA    2600:3c03::f03c:91ff:fedf:be22

;; Query time: 32 msec
;; SERVER: 2400:cb00:2049:1::adf5:3a82#53(2400:cb00:2049:1::adf5:3a82)
;; WHEN: Mon Mar 12 22:01:34 2012
;; MSG SIZE  rcvd: 70

broquea

When did you add the AAAA records? It is probably negatively cached as not having AAAA on the recursor the machine uses for queries. I'm seeing TTLs of 86400s

shinji

They were there for at least 24 hours.  The odd part was that the first test passed which checks for the AAAA record.  It was the second test that failed to make sure they were accessible and responding via IPv6.  I get "Couldn't query name server" as the response.  As you can see in my log though they are indeed responding via IPv6.

broquea

#3
Then email ipv6@he.net and have them check. Opening a trouble ticket is better than waiting for someone to maybe check the forums.

shinji

Thanks.  I didn't know I could email there.  I've sent them a message.

kasperd

Is this the test where you need to have working AAAA glue records all the way down? Having that is required to allow an IPv6 only DNS server to look up your domain. You don't have the necessary glue records.

I first tried: dig +norecurse -t aaaa lily.ns.cloudflare.com @$(tr -dc a-m </dev/urandom | head -c1).root-servers.net

That command gave me a single AAAA glue record for com.:
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30

I then tried: dig +norecurse -t aaaa lily.ns.cloudflare.com @2001:503:a83e::2:30

That command gave me two NS records for cloudflare.com. and a single A glue record for each of them:
;; QUESTION SECTION:
;lily.ns.cloudflare.com.                IN      AAAA

;; AUTHORITY SECTION:
cloudflare.com.         172800  IN      NS      dns2.cloudflare.com.
cloudflare.com.         172800  IN      NS      dns3.cloudflare.com.

;; ADDITIONAL SECTION:
dns2.cloudflare.com.    172800  IN      A       173.245.58.99
dns3.cloudflare.com.    172800  IN      A       173.245.59.99

At this point an IPv6 only DNS server wouldn't be able to get any further.

broquea

Guru isn't about Glue, that would be Sage. Guru is looking up the AAAA records for the auth NS and then querying those for the AAAA record of the URL submitted.

kasperd

Quote from: broquea on March 14, 2012, 07:56:56 AMGuru isn't about Glue, that would be Sage.
Oh, right. I didn't recall the exact sequence of tests.

Quote from: broquea on March 14, 2012, 07:56:56 AMGuru is looking up the AAAA records for the auth NS and then querying those for the AAAA record of the URL submitted.
That comment made me realize exactly what the commands in the initial posting were verifying. However, when I try the sequence of commands from that initial posting, I get a different result.

The first command "dig ns icarus.robertpendell.com" in that posting shows that two NS records are returned. However, when I run the exact same command, I do not get any NS records, only a SOA record because the record does not exist. It is not a caching issue. I also get no NS records for icarus.robertpendell.com when I go directly to the authoritative servers. For the later, I did the sequence of lookups from the root and down ending with "dig +norecurse -t ns icarus.robertpendell.com @173.245.59.115" and "dig +norecurse -t ns icarus.robertpendell.com @173.245.58.130"

So, there really is no NS record for icarus.robertpendell.com, however there is one for robertpendell.com. I did get stuck on the Sage test for a bit due to mixing up the levels of the DNS hierarchy in a similar way. I'm not sure if something similar may be at play at the Guru level.

R1CH

I'm also having trouble with this step.

I'm curious if the "If you need to edit off any subdomains to make it work, please do so here" text field actually does anything. I originally started the test with a domain which is in active use so I can't really mess with it too much (such as moving the whole thing to  an IPv6 capable DNS provider!), so I added a subdomain that's a substring of the original domain. I then added an NS record for that subdomain that delegates it to HE DNS (ns2/ns3) and registered the subdomain in HE DNS with a valid AAAA record.

I'm trying to use this new subdomain in the test by entering it into that text field, it passes Step 2, but Step 3 always says "Couldn't query name server ". Everything seems fine when I try from the command line, so I'm wondering if the domain edit field is actually editing the domain that's tested? Has anyone successfully used it before?

mianosm

#9
Quote from: R1CH on March 23, 2012, 01:46:22 AM
I'm also having trouble with this step.

I'm curious if the "If you need to edit off any subdomains to make it work, please do so here" text field actually does anything. I originally started the test with a domain which is in active use so I can't really mess with it too much (such as moving the whole thing to  an IPv6 capable DNS provider!), so I added a subdomain that's a substring of the original domain. I then added an NS record for that subdomain that delegates it to HE DNS (ns2/ns3) and registered the subdomain in HE DNS with a valid AAAA record.

I'm trying to use this new subdomain in the test by entering it into that text field, it passes Step 2, but Step 3 always says "Couldn't query name server ". Everything seems fine when I try from the command line, so I'm wondering if the domain edit field is actually editing the domain that's tested? Has anyone successfully used it before?

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)? :(

cholzhauer

Quote

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)?

You should really start your own thread

With that being said, it looks like you're using the wrong IPv6 address



C:\Users\cholzhauer>nslookup 2001:470:4:a23::2

Name:    mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net
Address:  2001:470:4:a23::2


mianosm

Quote from: cholzhauer on March 26, 2012, 05:17:09 AM
Quote

I seem to be stuck at the same point as well.

When I dig: ipv6.stevenmiano.com I get a AAAA record back, and using dig @2607:f208:206::12 aaaa ipv6.stevenmiano.com it seems to respond correctly as well.

Would anyone have a hint or tip as to what I might be doing incorrectly (or not at all)?

You should really start your own thread

With that being said, it looks like you're using the wrong IPv6 address



C:\Users\cholzhauer>nslookup 2001:470:4:a23::2

Name:    mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net
Address:  2001:470:4:a23::2



My apologies, I thought the reverse was the test before the guru looking at AAAA records. I updated my rDNS through he.net, so hopefully that will update my reverse to report that 2001:470:4:a23::2 is actually ipv6.stevenmiano.com.

Thanks for your time/effort. :-)

broquea

2001:470:4:a23::2 will only be mianosm-2-pt.tunnel.tserv12.mia1.ipv6.he.net (as long as it is associated with your tunnel).

You don't get to change the rDNS records for the tunnel's /64, only the routed /64 and /48.

mianosm

It wasn't the rDNS at all, I understand that you need to setup rDNS on the routed subnets now though, thanks guys. :-)