• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 forward DNS not resolving

Started by cololine, February 13, 2009, 09:02:47 AM

Previous topic - Next topic


Hi -

So I'm trying to set up a working IPv6 CentOS box inside H.E. Fremont. I've got my IPv6 addresses, they are configured on the box and I can ping them. I've registered a couple of IPv6 hosts at my registrar. At this point I can ping those too:

[root@ns2 named]# ping6 ns1.colocationbayarea.net
PING ns1.colocationbayarea.net(2001:470:1:6d::3) 56 data bytes
64 bytes from 2001:470:1:6d::3: icmp_seq=0 ttl=64 time=0.052 ms
64 bytes from 2001:470:1:6d::3: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from 2001:470:1:6d::3: icmp_seq=2 ttl=64 time=0.056 ms
--- ns1.colocationbayarea.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.052/0.055/0.058/0.006 ms, pipe 2
[root@ns2 named]# ping6 ns2.colocationbayarea.net
PING ns2.colocationbayarea.net(2001:470:1:6d::4) 56 data bytes
64 bytes from 2001:470:1:6d::4: icmp_seq=0 ttl=64 time=0.067 ms
64 bytes from 2001:470:1:6d::4: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 2001:470:1:6d::4: icmp_seq=2 ttl=64 time=0.050 ms
--- ns2.colocationbayarea.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.050/0.061/0.067/0.007 ms, pipe 2

These nameservers are authoritative for the domain, colocationbayarea.net.

I've got named running with IPv6 enabled and it is listening on IPv6:

[root@ns2 named]# netstat -lnptu | grep ":::" | grep named
tcp        0      0 :::53                       :::*                        LISTEN      19813/named
tcp        0      0 ::1:953                     :::*                        LISTEN      19813/named
udp        0      0 :::37555                    :::*                                    19813/named
udp        0      0 :::53                       :::*                                    19813/named

I've got the forward zone set in named.conf:

zone "colocationbayarea.net" {
        type master;
        file "/var/named/colocationbayarea.net.hosts";

and I've got the records in the zone file "colocationbayarea.net.hosts":

[root@ns2 named]# cat colocationbayarea.net.hosts
$ttl 300
@       IN      SOA     ns1.colocationbayarea.net. admin.colocationbayarea.net. (
                        300 )
        IN      NS      ns1.colocationbayarea.net.
        IN      AAAA    2001:470:1:6d::3
ns1     IN      AAAA    2001:470:1:6d::3
ns2     IN      AAAA    2001:470:1:6d::4
mail    IN      AAAA    2001:470:1:6d::2
        IN      NS      ns2.colocationbayarea.net.
www     IN      CNAME   colocationbayarea.net.
        IN      MX      10 mail.colocationbayarea.net.

Named has been restarted. No worky:

[root@ns2 named]# ping6 colocationbayarea.net
unknown host
[root@ns2 named]# dig @ns1.colocationbayarea.net colocationbayarea.net

; <<>> DiG 9.3.4-P1 <<>> @ns1.colocationbayarea.net colocationbayarea.net
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1079
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;colocationbayarea.net.         IN      A

colocationbayarea.net.  300     IN      SOA     ns1.colocationbayarea.net. admin.colocationbayarea.net. 1234469106 10800 3600 604800 300

;; Query time: 2 msec
;; SERVER: 2001:470:1:6d::3#53(2001:470:1:6d::3)
;; WHEN: Fri Feb 13 09:01:29 2009
;; MSG SIZE  rcvd: 85

Any ideas on what I am missing or doing wrong would be appreciated.


Are the recursive name servers your machines are using IPv6 connected? (Since your domain doesn't provide DNS over IPv4...)


Apparently not - I was able to ping6 ipv6.google.com with my existing nameservers, so I just assumed they were ok. But putting the ip for ns1.fmt2.he.net at the top of my resolvers list made it work.


I don't see an A or AAAA record for the domain itself in your zone file...


All of your problems have to do with BIND.

Quotedig @ns1.colocationbayarea.net colocationbayarea.net
This asks for type A records only.  If you want to verify that AAAA records are being returned, you need to query for that type.

2)  A matter of style:  Names that are within the zone on the right-hand side should NOT be FQDNs.  Too many people make spelling errors and wonder why their zones don't work correctly.

3)  Your zone file contains errors.  You have both records and a delegation for the "mail" subzone.  You probably meant that the second NS RR be for the zone itself, but that's not what you wrote.  Also, why have only the "www" host have a mail exchanger?  You obviously don't understand that leading whitespace will use the label on the line above (the last one without leading whitespace).

First, I would rewrite the zone file as this (serial # bumped by 1):
Quote$ttl 5M
@       IN      SOA     ns1 admin 1234469110 3H 1H 7D 5M
          IN      NS      ns1
          IN      NS      ns2
          IN      MX      10 mail
          IN      AAAA    2001:470:1:6d::3
ns1     IN      AAAA    2001:470:1:6d::3
ns2     IN      AAAA    2001:470:1:6d::4
mail    IN      AAAA    2001:470:1:6d::2
www     IN      CNAME   @

4)  How is ns2 supposed to fetch the zone from ns1 - without any "allow-transfer" statement?

Once you get it working, you need to add some SPF statements so you don't get "joe jobbed."


Actually, my 'main' issue, as someone pointed out above, was that the resolvers my machine was using for external lookups were not IPv6 connected, and in fact it seems that much of the Internet is still this way, I've found by poking around on the 'net and using various web tools to query other systems. Apparently it's a bit lonely if your hosts are running purely on IPv6. But I have no doubt that the form of my IPv6 zone file was not ideal, despite the fact that it does work as written, as I am new to this and was simply taking it the way that Webmin wants to write it. So thank you all for your help and suggestions, I do greatly appreciate it!