IPv6 forward DNS not resolving

cololine · February 13, 2009, 09:02:47 AM

Hi -

So I'm trying to set up a working IPv6 CentOS box inside H.E. Fremont. I've got my IPv6 addresses, they are configured on the box and I can ping them. I've registered a couple of IPv6 hosts at my registrar. At this point I can ping those too:

[root@ns2 named]# ping6 ns1.colocationbayarea.net
PING ns1.colocationbayarea.net(2001:470:1:6d::3) 56 data bytes
64 bytes from 2001:470:1:6d::3: icmp_seq=0 ttl=64 time=0.052 ms
64 bytes from 2001:470:1:6d::3: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from 2001:470:1:6d::3: icmp_seq=2 ttl=64 time=0.056 ms
^C
--- ns1.colocationbayarea.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.052/0.055/0.058/0.006 ms, pipe 2
[root@ns2 named]# ping6 ns2.colocationbayarea.net
PING ns2.colocationbayarea.net(2001:470:1:6d::4) 56 data bytes
64 bytes from 2001:470:1:6d::4: icmp_seq=0 ttl=64 time=0.067 ms
64 bytes from 2001:470:1:6d::4: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 2001:470:1:6d::4: icmp_seq=2 ttl=64 time=0.050 ms
^C
--- ns2.colocationbayarea.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.050/0.061/0.067/0.007 ms, pipe 2

These nameservers are authoritative for the domain, colocationbayarea.net.

I've got named running with IPv6 enabled and it is listening on IPv6:

[root@ns2 named]# netstat -lnptu | grep ":::" | grep named
tcp 0 0 :::53 :::* LISTEN 19813/named
tcp 0 0 ::1:953 :::* LISTEN 19813/named
udp 0 0 :::37555 :::* 19813/named
udp 0 0 :::53 :::* 19813/named

I've got the forward zone set in named.conf:

zone "colocationbayarea.net" {
type master;
file "/var/named/colocationbayarea.net.hosts";
};

and I've got the records in the zone file "colocationbayarea.net.hosts":

[root@ns2 named]# cat colocationbayarea.net.hosts
$ttl 300
@ IN SOA ns1.colocationbayarea.net. admin.colocationbayarea.net. (
1234469109
10800
3600
604800
300 )
IN NS ns1.colocationbayarea.net.
IN AAAA 2001:470:1:6d::3
ns1 IN AAAA 2001:470:1:6d::3
ns2 IN AAAA 2001:470:1:6d::4
mail IN AAAA 2001:470:1:6d::2
IN NS ns2.colocationbayarea.net.
www IN CNAME colocationbayarea.net.
IN MX 10 mail.colocationbayarea.net.

Named has been restarted. No worky:

[root@ns2 named]# ping6 colocationbayarea.net
unknown host
[root@ns2 named]# dig @ns1.colocationbayarea.net colocationbayarea.net

; <<>> DiG 9.3.4-P1 <<>> @ns1.colocationbayarea.net colocationbayarea.net
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1079
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;colocationbayarea.net. IN A

;; AUTHORITY SECTION:
colocationbayarea.net. 300 IN SOA ns1.colocationbayarea.net. admin.colocationbayarea.net. 1234469106 10800 3600 604800 300

;; Query time: 2 msec
;; SERVER: 2001:470:1:6d::3#53(2001:470:1:6d::3)
;; WHEN: Fri Feb 13 09:01:29 2009
;; MSG SIZE rcvd: 85

Any ideas on what I am missing or doing wrong would be appreciated.

kristiankrohn · February 13, 2009, 09:52:46 AM

Are the recursive name servers your machines are using IPv6 connected? (Since your domain doesn't provide DNS over IPv4...)

cololine · February 13, 2009, 11:26:46 AM

Apparently not - I was able to ping6 ipv6.google.com with my existing nameservers, so I just assumed they were ok. But putting the ip for ns1.fmt2.he.net at the top of my resolvers list made it work.

kriteknetworks · February 13, 2009, 02:41:51 PM

I don't see an A or AAAA record for the domain itself in your zone file...

snarked · February 13, 2009, 04:07:18 PM

All of your problems have to do with BIND.

1)

Quotedig @ns1.colocationbayarea.net colocationbayarea.net

This asks for type A records only. If you want to verify that AAAA records are being returned, you need to query for that type.

2) A matter of style: Names that are within the zone on the right-hand side should NOT be FQDNs. Too many people make spelling errors and wonder why their zones don't work correctly.

3) Your zone file contains errors. You have both records and a delegation for the "mail" subzone. You probably meant that the second NS RR be for the zone itself, but that's not what you wrote. Also, why have only the "www" host have a mail exchanger? You obviously don't understand that leading whitespace will use the label on the line above (the last one without leading whitespace).

First, I would rewrite the zone file as this (serial # bumped by 1):

Quote$ttl 5M
@ IN SOA ns1 admin 1234469110 3H 1H 7D 5M
IN NS ns1
IN NS ns2
IN MX 10 mail
IN AAAA 2001:470:1:6d::3
ns1 IN AAAA 2001:470:1:6d::3
ns2 IN AAAA 2001:470:1:6d::4
mail IN AAAA 2001:470:1:6d::2
www IN CNAME @

4) How is ns2 supposed to fetch the zone from ns1 - without any "allow-transfer" statement?

Once you get it working, you need to add some SPF statements so you don't get "joe jobbed."

cololine · February 18, 2009, 07:01:28 AM

Actually, my 'main' issue, as someone pointed out above, was that the resolvers my machine was using for external lookups were not IPv6 connected, and in fact it seems that much of the Internet is still this way, I've found by poking around on the 'net and using various web tools to query other systems. Apparently it's a bit lonely if your hosts are running purely on IPv6. But I have no doubt that the form of my IPv6 zone file was not ideal, despite the fact that it does work as written, as I am new to this and was simply taking it the way that Webmin wants to write it. So thank you all for your help and suggestions, I do greatly appreciate it!

tufinhas · February 18, 2009, 09:13:20 AM

It's very early for IPv6 only.

News:

IPv6 forward DNS not resolving

cololine

kristiankrohn

cololine

kriteknetworks

snarked

cololine

tufinhas