• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Issue with request domain record at RIPE for prefix / dns.he.net refusing query

Started by eancode, January 29, 2020, 04:18:46 AM

Previous topic - Next topic


I'm running my own AS with delegated PI IPv6 prefix, and I want to maintain the rDNS records at dns.he.net.

I have added the zone in the control panel and I see it marked as green, but when I try to create the domain record at RIPE, the form performs verification and shows "Server is not authoritative for x.x.x.x.x.x.x.x."

Even when I perform manual verification with dig, the query is refused.

dig @ns1.he.net NS x.x.x.x.x.x.x.x.

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @ns1.he.net NS x.x.x.x.x.x.x.x.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65222
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

Without this I cannot proceed further. Do I miss something? Is there any other action needed?

Thank you.


Did you create the zone data first (SOA and NS records) and load it?


Quote from: snarked on January 29, 2020, 09:16:05 AM
Did you create the zone data first (SOA and NS records) and load it?

What do you mean by that?
I used the ,,Zone Functions->Add a new reverse" there I filled in my assigned block and hit the ,,Add prefix!" button. For a few days is complained that there is no delegation to nsX.he.net but it (the warning) cleared itself. When I try to dump Raw zone, I get this:

Raw AXFR output -- Changes made this session will not appear in the dump below. This is not in real time.

; x.x.x.x.x.x.x.x. Dumped Wed Jan 29 09:23:13 2020

So it seems the zone is not generated at all.

Now I'm facing a hen and egg problem. RIPE will not create the reverse zone in ip6.arpa tree because the HE.net does not replies to SOA request, and HE.net will not create the zone because the ip6.arpa. has no information about DNS delegation.


I believe this is true - they do these automated checks. But as far as I remember they will help you out over email in justified cases (and I believe that's one of them).



I decided to contact the dnsadmin @ he and they enabled the delegation so I was able to complete the registration process with RIPE.


This deadlock situation has been an issue with HE for a long time. In theory, HE is supposed to enable zone data first before registrar starts the delegation. However, HE does an automatic check if the registrar actually allows the delegation. Now if the registrar is conforming to the strict model, then it waits for HE to create the zone first. So as you said, hen-and-egg-deadlock. That's why I don't and can't use HE for DNS management.

Didn't know they enable it on request.


The registrars do their check in regards to ensure there's no lame delegation: a technical check.

We require it to ensure the assignee intends for the zone to be hosted here: a security check.

As there's no other means of indicating at the registrar that the zone should be here, we're left with a conflict.


Can't this be...like...enabled for a short timespan, like 5 minutes? Don't know if this is feasible...I am not network engineer.