Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Issue with request domain record at RIPE for prefix / dns.he.net refusing query  (Read 1939 times)

eancode

  • Newbie
  • *
  • Posts: 6

Hello,
I'm running my own AS with delegated PI IPv6 prefix, and I want to maintain the rDNS records at dns.he.net.

I have added the zone in the control panel and I see it marked as green, but when I try to create the domain record at RIPE, the form performs verification and shows "Server is not authoritative for x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa."

Even when I perform manual verification with dig, the query is refused.

Code: [Select]
dig @ns1.he.net NS x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa.

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @ns1.he.net NS x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65222
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

Without this I cannot proceed further. Do I miss something? Is there any other action needed?

Thank you.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 777

Did you create the zone data first (SOA and NS records) and load it?
Logged

eancode

  • Newbie
  • *
  • Posts: 6

Did you create the zone data first (SOA and NS records) and load it?

What do you mean by that?
I used the „Zone Functions->Add a new reverse“ there I filled in my assigned block and hit the „Add prefix!“ button. For a few days is complained that there is no delegation to nsX.he.net but it (the warning) cleared itself. When I try to dump Raw zone, I get this:

Code: [Select]
Raw AXFR output -- Changes made this session will not appear in the dump below. This is not in real time.

; x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa Dumped Wed Jan 29 09:23:13 2020
;


So it seems the zone is not generated at all.

Now I'm facing a hen and egg problem. RIPE will not create the reverse zone in ip6.arpa tree because the HE.net does not replies to SOA request, and HE.net will not create the zone because the ip6.arpa. has no information about DNS delegation.
Logged

tomkep

  • Newbie
  • *
  • Posts: 8

I believe this is true - they do these automated checks. But as far as I remember they will help you out over email in justified cases (and I believe that's one of them).
Logged

snarked

  • Hero Member
  • *****
  • Posts: 777

What did I mean?  You can’t delegate an EMPTY zone.
Logged

eancode

  • Newbie
  • *
  • Posts: 6

I decided to contact the dnsadmin @ he and they enabled the delegation so I was able to complete the registration process with RIPE.
Logged

tjeske

  • Full Member
  • ***
  • Posts: 105

This deadlock situation has been an issue with HE for a long time. In theory, HE is supposed to enable zone data first before registrar starts the delegation. However, HE does an automatic check if the registrar actually allows the delegation. Now if the registrar is conforming to the strict model, then it waits for HE to create the zone first. So as you said, hen-and-egg-deadlock. That's why I don't and can't use HE for DNS management.

Didn't know they enable it on request.
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 419

The registrars do their check in regards to ensure there's no lame delegation: a technical check.

We require it to ensure the assignee intends for the zone to be hosted here: a security check.

As there's no other means of indicating at the registrar that the zone should be here, we're left with a conflict.
Logged

tjeske

  • Full Member
  • ***
  • Posts: 105

Can't this be...like...enabled for a short timespan, like 5 minutes? Don't know if this is feasible...I am not network engineer.
Logged