• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Certification: Guru test fail

Started by renjoki, March 09, 2013, 07:15:08 AM

Previous topic - Next topic

renjoki

Even though I've completed the requirements, the system still wouldn't let me pass the test.
I've entred domain 'xtsubasa.org'. It has nameservers ns1.selectel.org and ns2.selectel.org specified on my registar's webpage.
Both of them have AAAA records. However HE system says:

Couldn't find any nameservers for xtsubasa.org or no AAAA records found for NS
If this is a subdomain, edit to primary domain in the step #1 and retest


kasperd

Quote from: renjoki on March 09, 2013, 07:15:08 AMIt has nameservers ns1.selectel.org and ns2.selectel.org specified on my registar's webpage.
Both of them have AAAA records.
They have AAAA records. But the glue records are IPv4 only.

The authoritative source for the AAAA records is the name servers themselves. That would create a cyclic dependency, where you cannot ask a DNS server for its IP address because you don't yet know which IP address to send it to.

Glue records are there to break such cyclic dependency. But the glue records are all A records, there are no AAAA records:dig +norecurse -t aaaa ns1.selectel.org. @2001:500:c::1

; <<>> DiG 9.6.1-P2 <<>> +norecurse -t aaaa ns1.selectel.org. @2001:500:c::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14173
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;ns1.selectel.org.              IN      AAAA

;; AUTHORITY SECTION:
selectel.org.           86400   IN      NS      ns3.selectel.org.
selectel.org.           86400   IN      NS      ns2.selectel.org.
selectel.org.           86400   IN      NS      ns4.selectel.org.
selectel.org.           86400   IN      NS      ns1.selectel.org.

;; ADDITIONAL SECTION:
ns1.selectel.org.       86400   IN      A       188.93.16.29
ns2.selectel.org.       86400   IN      A       188.93.17.29
ns3.selectel.org.       86400   IN      A       109.234.159.90
ns4.selectel.org.       86400   IN      A       109.234.159.92

;; Query time: 89 msec
;; SERVER: 2001:500:c::1#53(2001:500:c::1)
;; WHEN: Sat Mar  9 17:34:43 2013
;; MSG SIZE  rcvd: 166

renjoki

#2
But glue records are not supposed to be involved in Guru test, only in Sage, right?
And even in Guru they check xtsubasa.org's glue records, not selectel.org's as I understand it.
And I've set both IPv4 and IPv6 addresses for selectel nameservers as glue records. Is it not how it appears to the world?

renjoki

I checked that even Google has trouble with this, what do you except of ordinary Gurus :)

$ dig +norecurse -t aaaa ns1.google.com. @2001:503:a83e::2:30

; <<>> DiG 9.9.2 <<>> +norecurse -t aaaa ns1.google.com. @2001:503:a83e::2:30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30876
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.google.com.                        IN      AAAA

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172800  IN      A       216.239.34.10
ns1.google.com.         172800  IN      A       216.239.32.10
ns3.google.com.         172800  IN      A       216.239.36.10
ns4.google.com.         172800  IN      A       216.239.38.10

;; Query time: 57 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Sat Mar  9 22:11:36 2013
;; MSG SIZE  rcvd: 175

renjoki

I changed my nameservers to ns[2|3|4].he.net now. Still no luck :)

kasperd

Quote from: renjoki on March 09, 2013, 10:01:58 AMBut glue records are not supposed to be involved in Guru test, only in Sage, right?
I don't recall exactly what is being checked at each level.

Quote from: renjoki on March 09, 2013, 10:01:58 AMAnd even in Guru they check xtsubasa.org's glue records, not selectel.org's as I understand it.
Since the NS records for xtsubasa.org were pointing at names outside the xtsubasa.org zone, you don't need to also specify what their IP address is. You provide the NS records for xtsubasa.org to be served by the org authoritative servers. It happens that your NS records were pointing to selectel.org names, which happen to be in the same TLD. So the org authoritative servers has NS records and glue records for selectel.org, which it could provide as additional records, when it received a query for xtsubasa.org.

As owner of the xtsubasa.org domain, you obviously aren't supposed to tell the org authoritative servers what's in the NS records for selectel.org. If you could, that would be a security problem as you could overwrite the authentic records.

Quote from: renjoki on March 09, 2013, 10:01:58 AMAnd I've set both IPv4 and IPv6 addresses for selectel nameservers as glue records. Is it not how it appears to the world?
I don't recall exactly what I saw when querying the org servers for xtsubasa.org, but I definitely did not receive any AAAA glue records. And it would be the owners of the selectel.org, who would be responsible for ensuring they are there.

Quote from: renjoki on March 09, 2013, 10:13:42 AMI checked that even Google has trouble with this
No, Google does not have trouble with this. Google has made a deliberate choice to not have their authoritative DNS servers on IPv6 yet. I don't know what is the reasoning behind that choice. I am sure once they decide to enable dual stack on their authoritative DNS servers, they won't forget to create glue records.

Quote from: renjoki on March 09, 2013, 10:49:03 AMI changed my nameservers to ns[2|3|4].he.net now. Still no luck
You may have to wait 48 hours for caches to expire.

renjoki

According to http://www.youtube.com/watch?v=4fAlBqnLUjM this is the official 'troubleshoot' method for Guru test:

dig NS $domain +short
dig AAAA $NS +short
dig AAAA $domain @$nsAAAA

It does not check glue.
I guess the problem is that before I've set my NS to ns[1|2].selectel.org, they were set to IPv4-only NS. And 48 hours haven't passed since that (I thought the default was 24 hours). I'll check later.

kasperd

Quote from: renjoki on March 09, 2013, 10:22:12 PMI thought the default was 24 hours
Your current records actually have a 24 hour TTL. But what's important is not the current records, but the TTL at the time it was cached. I don't know if your TTL was lowered within the last few days, or if perhaps org generally use 24 hours. I have often seen users on this forum having a 48 hour TTL, but that may have been on other TLDs.

Your current NS records look good. And since they point into a different TLD, they don't need any glue records. Also the HE authoritative DNS servers do respond with AAAA records for your domain. So if it doesn't work once any still cached information has expired, it can almost only be a problem on the HE side.

renjoki

I was able to pass Guru and Sage now and unblock IRC on my tunnel.
But SMTP is still blocked and I see no option to unblock. I thought sages are able to do that.