• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

HE.net and Sages Vs Afriad.org

Started by zwitterions, January 22, 2014, 04:47:34 AM

Previous topic - Next topic

zwitterions

It took my 7 mininutes to get my Guru level with HE.net, because i won't move from Afriad.org, (Who i think is one of the best DNS registrars in the World) to some other registrar that will support all of these Stupid Glue issues, just so i can get a cert that say Sages, i feel is just stupid, and wrong that peole are saying well if you use Afriad.org you cant get it.
Well there have been times, were Afriad.org have gone down at 2 am on a Sunday, and Josh has got up, drove to the site, and reparied the issue, in an hour on his own time, i ran an ISP in Southern Africa for Worldcom (UUNet) back in the 90's and we would do the same in some issues drive 1,200Km just to fix a router, that kind of service is the best you can get, i have all ready found someone to relay mail threw without having to use or ask HE.Net to open port 25 for me, as for people saying move from Afriad.org, Don't! NS1 is all setup, and the rest will come online soon, ask yourself why do you need a Sages Certificate, when you know yourself that you are even better than that level?
I know i am. and ask your self, just how many people are using IPv6 mail? None if you want the truth, ok maybe .01% , i am happy with what and where i am, my system is working fine, here in the UK, there is no need for a Sages Certificate, if that means moving from the Best DNS Registra here. So to all the people that would say they are better then me just because i only have a Guru Certificate, and will not change my Registra, i say, get a life. I am not Flaming anyone here, i think the work that HE.Net are doing is fantastic, and i like there tests, but this one issue, over Afriad, is to be frank, dumb.

Just my Thoughts.

Regards


Rosina.

P.S Keep up the great work HE.Net!

kasperd

Quote from: zwitterions on January 22, 2014, 04:47:34 AMIt took my 7 mininutes to get my Guru level with HE.net, because i won't move from Afriad.org, (Who i think is one of the best DNS registrars in the World) to some other registrar that will support all of these Stupid Glue issues, just so i can get a cert that say Sages, i feel is just stupid, and wrong that peole are saying well if you use Afriad.org you cant get it.
Nobody is worthy of being called one of the best registrars in the world today, unless they have full dual stack support. And full dual stack supports means you can use them equally well regardless of whether your network is IPv4 only or IPv6 only. Does afraid.org satisfy that criteria?

As far as I can tell, it is impossible to resolve afraid.org from an IPv6 only DNS server.

Quote from: zwitterions on January 22, 2014, 04:47:34 AMWell there have been times, were Afriad.org have gone down at 2 am on a Sunday, and Josh has got up, drove to the site, and reparied the issue, in an hour on his own time, i ran an ISP in Southern Africa for Worldcom (UUNet) back in the 90's and we would do the same in some issues drive 1,200Km just to fix a router, that kind of service is the best you can get
I have been using the same DNS provider for a decade. I have not once noticed an outage of their DNS servers. (I don't know if that means they had no outages, or that they fixed them faster than I could notice.)

Quote from: zwitterions on January 22, 2014, 04:47:34 AMI know i am. and ask your self, just how many people are using IPv6 mail? None if you want the truth, ok maybe .01%
Gmail alone has a larger market share than that.

broquea

#2
AFAIK afraid.org isn't a registrar, they only host DNS. They don't register domains. The same way dns.he.net isn't a registrar, it just hosts DNS for free, but has authoritative nameservers reachable via IPv6.

If you are using the tunnel to try and get on IRC or host email and are angry that only Sages get it unblocked, perhaps your anger is better directed at your ISP that can't provide you native IPv6 than some free online service used to circumvent that ISP.

I can make up statistics too to validate my point that 97.3% of everyone reading this post is a horse.

In seriousness I think you missed the point about the certification program, which isn't about getting irc/smtp access on a tunnel, but rather to help people better understand how to get the basic web services up and running on IPv6 (web/mail/dns). If someone somewhere is mocking you about not leaving afraid.org, why care what they say? However a valid point is that for anyone IPv6-only connected that isn't using some sort of nat64/dns64/CLAT mechanism, and their entire process of resolving hosts/domains is carried over IPv6 only, then the fact that all 7 of afraid.org's authoritative servers are IPv4-only means they'll never get that DNS resolution.

A dig -6 on a domain hosted there would show this failure to support IPv6 at the nameserver access level. In fact I'm not certain how you got Guru unless you used different nameservers, or afraid.org uses different nameservers than the 7 used for their domain.

zwitterions


zwitterions

not upset, don't use irc, and have had email up before i started using HE. Never said i was upset at HE, just users who think they are better for not using Afriad. My mail works fine. But thanks for your input.

zwitterions

and i forgot all my websites run fine on ipv6, not one issue. and no im not a newbie , but thanks for your input.

broquea

#6
Quote from: zwitterions on January 22, 2014, 08:18:29 AM
and i forgot all my websites run fine on ipv6, not one issue. and no im not a newbie , but thanks for your input.

I don't see notoriously-white.co.uk (email address domain in your public broker forum profile) using any IPv6 at all, but perhaps that isn't one of your operated domains. At any rate, that your site runs fine on IPv6 is great news; more content on IPv6! Although I'm not finding zwitterions.net using IPv6 either; www., forum., mail. ...nothing with a AAAA record. Only IPv6 host I found so far was ipv6.dismiz.com, and thats just a single hostname in the domain, that happens to be hosted by HE.NET nameservers for both forward and reverse DNS. So I'm not certain where people mocking you for using afraid.org could have stemmed from.

~$ host 2001:470:1f09:585::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.8.5.0.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer ipv6.dismiz.com.

~$ dig ns dismiz.com +short
ns5.he.net.
ns3.he.net.
ns4.he.net.
he-ns1.dismiz.com.

~$ dig -x 2001:470:1f09:585::1 +trace

; <<>> DiG 9.8.1-P1 <<>> -x 2001:470:1f09:585::1 +trace
;; global options: +cmd
.                       84771   IN      NS      m.root-servers.net.
.                       84771   IN      NS      g.root-servers.net.
.                       84771   IN      NS      l.root-servers.net.
.                       84771   IN      NS      f.root-servers.net.
.                       84771   IN      NS      d.root-servers.net.
.                       84771   IN      NS      c.root-servers.net.
.                       84771   IN      NS      a.root-servers.net.
.                       84771   IN      NS      h.root-servers.net.
.                       84771   IN      NS      b.root-servers.net.
.                       84771   IN      NS      j.root-servers.net.
.                       84771   IN      NS      k.root-servers.net.
.                       84771   IN      NS      e.root-servers.net.
.                       84771   IN      NS      i.root-servers.net.
;; Received 449 bytes from ::1#53(::1) in 21 ms

ip6.arpa.               172800  IN      NS      a.ip6-servers.arpa.
ip6.arpa.               172800  IN      NS      b.ip6-servers.arpa.
ip6.arpa.               172800  IN      NS      c.ip6-servers.arpa.
ip6.arpa.               172800  IN      NS      d.ip6-servers.arpa.
ip6.arpa.               172800  IN      NS      e.ip6-servers.arpa.
ip6.arpa.               172800  IN      NS      f.ip6-servers.arpa.
;; Received 462 bytes from 2001:500:1::803f:235#53(2001:500:1::803f:235) in 84 ms

4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      u.arin.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      v.arin.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      w.arin.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      x.arin.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      z.arin.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      ns2.lacnic.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      sec1.apnic.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      sec1.authdns.ripe.net.
4.0.1.0.0.2.ip6.arpa.   86400   IN      NS      sec3.apnic.net.
;; Received 279 bytes from 196.216.169.11#53(196.216.169.11) in 803 ms

0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      NS1.HE.NET.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      NS3.HE.NET.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      NS5.HE.NET.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      NS4.HE.NET.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      NS2.HE.NET.
;; Received 186 bytes from 2001:470:1a::2#53(2001:470:1a::2) in 17 ms

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.8.5.0.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 86400 IN PTR ipv6.dismiz.com.
;; Received 119 bytes from 216.218.130.2#53(216.218.130.2) in 20 ms

zwitterions

Well if you really want the url's, https://fuckoff-and-die.com/ will take you to them all, but http://ip6.zwitterions.net, http://ip6.fuckoff-and-die.com/ http://fuckoff-and-die.com/ there are more, http://notoriously-white.co.uk/wordpress/ is a secondary server for primary when bt link goes down, dns is auto changed to it, http://notoriously-white.co.uk/wordpress is run by domain check, and are not like most companies in the UK ipv6 ready, it is a shame that The UK, really sucks when it comes to ipv6, but some of us are trying, my mx to my AAAA for mail.fuckoff-and-die.com is up, but it only realys to another server as HE will not give me access to the port, i.e; the reason why i decided to say something, i knew there would be all kinds of people who whould love a chance to try and knock someone like me, i will not change my dns from Afriad, just to get a sages t-shirt,or port 25, i realy, sorry, i think that this site is great, and i love the work that the Users, and HE are doing to promote IPv6, but having said that, i still don't think that this issue with Afriad should prevent someone from getting to sages. Look to me, i only posted this to bring it to the table, and it has worked! yes i am not a huge know it all when it comes to using a 128 bit address system when for the last 33 years i have been using a 32 bit, but there needs to be some push and shove and take, thats all i am saying, if we want ipv6 to take hold, and we want our users to use it, we need to promote it, not put doors in our way, Afraids issue should not be a door to go thru.  Everyone should be helped anyway they can to move over to IPv6, our Governments and ISP'S well here in the UK, are doing as little as possible, in fact the only ones who are pushing for fast change are the Mobile phone companies.. And People like You, HE.Net, HE.net's Users and small site runners like my self. And i have a huge ammount of respect for Apache, and there commitment to IPv6! Last word, Lets move the things that are in our way, and get everyone on IPv6.
Thanks for all your comments, i hope this issue has now been given the forum it needed..

Regards

Zwitterion's Domain Team.

broquea

#8
Quotestill don't think that this issue with Afriad should prevent someone from getting to sages.
Then I believe you don't understand what IPv6 glue is for domains with registrars, which is the entire point of the Sage process. I will attempt a basic explanation without having had coffee, below.

When you go somewhere like Gandi or etc who are domain registrars, you either point your DNS servers to some DNS hosting entity like Afraid, or create your own host records for nameservers that will reside inside the domain being registered, that you control. Those records for auth nameservers at the registrar are the glue for the domain, either IPv4 or IPv6. The Sage test is to determine that the IPv6 glue does in fact exist in case of someone ipv6-only trying to reach your domain. Now in the case of Afraid, only ns1.afraid.org has an IPv6 address, that I've been able to find. So your domain may be pointed to ns1.afraid.org, which gets you past Guru (name server auth for submitted domain, available on IPv6). However when looking at the glue for afraid.org, none of their 7 name servers that are auth for the "afraid.org" domain have an IPv6 record, and is why you fail to pass Sage.

But you are correct, you don't need to pass Sage, other than to say you passed Sage (and unblock IRC/SMTP filters on tunnel address space, and get a free t-shirt) and make certain that your domain would be accessible to someone on IPv6-only connectivity (without nat64/etc/etc). And sorry for being on BT. Their 21cn really didn't deliver IPV6 did it :( However at least AAISP out there should be able to provide native IPv6!

zwitterions

Good comment, yes ns1 is the only ipv6 addressed part of Afriad, they are working on it, and will get there, i am in the process of changing ISP's to someone that will have IPv6 plus a huge bandwidth jump to 1 gig up/down, but that won't be till March April, can't wait to drop BT..

I also do understand Glue, i just decided that the issue need to be put on the table. Thanks for you comments, got to go, working on some php scripting now.. so i will have a peek Thursday to see if anyone else has replied.

Regards

broquea

#10
But what issue? You are willingly using a service that clearly doesn't have IPv6 glue enabled or present, and want credit for a test that cannot be passed by using that service? I mean the amazingly simple fix to this is:

1) create a host record in your domain at your registrar, point it to an IPv6 address on one of your tunnels
2) host an auth DNS server on that IP/host, for the short time it takes to propagate the new DNS server and have the test query it

In fact you wouldn't rely on out-of-baliwick DNS hosting anymore. That seems almost a plus in my book. Then you could get rid of the records after passing Sage. Complaining that a preferred service provider's lack of IPv6 glue records is somehow not their fault, but the fault of the online free cert program imposing sane testing guidelines and restrictions on completing a task, is well...silly.

The salient point being that the cert program should be pushing YOU to solve the tech problems, or find someone with a working solution out there.

zwitterions

i thank you for the answers and your time, and i will post a request for some more help at a later time, i have done what i needed to do with gogo, but i see your point, you still miss mine, this is not about the cert, this was to bring it to the attention of others, and i have done this, again i thank you for your time, and i will be writing for some help on this problem, and i do thank you for taking the time out of your busy day to have this thread with me, i do app all your help! thank you, i will be doing what you have said, i just want to also stay with the one provider who has also taken a ton of time on my problems, and give him some support. As i said before, when i'm done the php coding, and i have a second tunnel i just put live on another server, with that one i will follow your advice to the letter , and please when i ask for help, give it to me..  I am really happy to be part of this and am happy that people like your self are willing to help, it speaks volumes about how good HE.net is and there Users and staff. i have just added 2001:0470:1f09:1020:0000:0000:0000:0000 to a different server and have a test parked ip6 page on it, at 2001:0470:1f08:1020::2 , i will do the entire testing again, on that pipe, with your suggestions, and i hope your help, if i need it, i will put another mail server on that server, as i already have 4 on there i will need to do a bit of virtual work for the cert, thanks again, and wish me luck.. I am doing this to try and get people in the UK to move over to ipv6, as an Anti-censorship site, i have a lot of users, and i hope that if 100 move to ipv6 they will tell 2 friends, and so on..

I need a couple of days to get some other off site servers up and running, and routed, and get my nameservers synced. Thanks again.

Regards

Rosina, and yes there is Andrew, its funny the two of us are making these replies, so i wounder how much is getting lost in translation. lol

broquea

#12
You are correct, I have missed your point. I saw that you really really like afraid.org, and felt strongly that they needed defending from people. People that were correctly explaining that their DNS hosting service cannot pass the Sage cert level because they do not have IPv6 glue for the authoritative name servers used for domains they host, which reside in and out of the afraid.org domain. What they needed defending from, is what I don't get. It is an easily proven fact, and accounting of other users' experiences that they don't have IPv6 glue in place for afraid.org.

Quote...i feel is just stupid, and wrong that peole are saying well if you use Afriad.org you cant get it.
"It" implying the Sage cert. Those people are correct. They aren't saying afraid.org is a horrible service. In fact I don't think I've seen disparaging remarks about their service. They were one of the first free DNS hosting providers out there that provided rDNS hosting for HE tunnels with an easy to use webUI. These people commenting about the IPv6 glue state of affairs at afraid.org are stating a fact.

No IPv6 glue records for "afraid.org", no Sage cert. When they get IPv6 glue records, mazel tov! They are one step closer to being where other providers have been for a few years now. Although they still won't be a "registrar". :)

kasperd

Quote from: broquea on January 22, 2014, 03:53:05 PMWhat they needed defending from, is what I don't get.
Agreed. I don't see why a company's decision not to support IPv6 should be defended at this time. We are three years past the deadline.

Is there any drawback from adding AAAA glue records? I think not, because clients falling over just because they see a AAAA glue record would be in big trouble anyway.

Quote from: broquea on January 22, 2014, 03:53:05 PMThey are one step closer to being where other providers have been for a few years now.
I suppose that is to be read as some other providers, not all other providers.

zwitterions

Now that i have the other tunnel up on a server, i can use its setup? or must i start from the beginning? And i think i proved you point, and yes  i am in fact quite wrong, i have had some unexplained dns errors, but they do take up to 8 hours to occur, this has to be due to propagation from ns1.afraid.org, and mine and then to your end, i now understand the issue of glue, i have always prided myself on supporting the people who support me, and also when i am wrong i admit it, , it's a stubborn streak i developed when in Hebrew school, my Rabi always said i was very argumentative, and i think another fault is that back in the 80's as i am sure you know we had to re write the books on how things worked, when it came to the Net, if i may, the Glue issue will is fact cause name based servers to start to report the wrong domain? after the propagation, is that right? from what i can see ns1.afraid does it's job, but then once it has propagated, it has no means of correcting the name based records? You have to understand, we don't have a lot of friends, being in the Anti-Censorship arena, Josh has always been there for us, this move to ipv6 has by the most part been fairly straightforward, out knowledge of ipv4 is as good as it gets, but we have made some guesses with ipv6, and as you have so well said, got it quite wrong. Now i will follow your instructions on the host dns setup, but a question, would it not be easier to use HE.net's dns for the ipv6 side of the network, if not, who should we use? the days of us being dynamic are long gone, but we still stick with afraid as we do love there service, so i will have a look around the site to see how the dns works on HE.net. You have a gift for explaining things, that very few do, and i am very lucky that you stuck with it, and did not just decide to stop communicating with me, i do apologize for being a spaz on this issue, and have learned more from our thread then any test could tell me. I thank you again, and hope when i screw up you will still be there to help. You would not believe in a few short days how many new users we have picked up because of ipv6, there are a lot of people here in the UK who want to go ipv6 but the truth is a lot of us don't know as much as we think, and a lot of people are following my mistakes and learning from them.
Once we fix this issue, we are going to need a heads up on how to move our VPN'S over to ipv6, so i point in the right direction from you would be much appreciated..

Thanks again

Regards

This time  Andrew.