Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 2 [3]

Author Topic: IPv6 glue test impossible with afraid.org domains?  (Read 46054 times)

snarked

  • Hero Member
  • *****
  • Posts: 765
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #30 on: August 12, 2009, 01:54:14 PM »

RE - Yorick:  You don't understand what "glue" means.  It's defined in the DNS RFCs with a specific meaning.

Those IPv6 address records are NOT glue records.  They are for name servers whose hostnames are outside of the TLD of the domain being accessed.

Only address records for name servers INSIDE the zone (domain) they are part of are glue records (when at the parent zone's name servers).  Other address records for name servers are not glue records. 
Logged

leenoux

  • Newbie
  • *
  • Posts: 12
    • My Colourful Website ;)
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #31 on: August 12, 2009, 08:25:41 PM »

both yorick and snarked are right  :) in my perspective.
they're just not "in-synch" each oher  ;D

they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

** just joking **
« Last Edit: August 12, 2009, 08:38:34 PM by leenoux »
Logged

yorick

  • Newbie
  • *
  • Posts: 15
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #32 on: August 13, 2009, 06:04:16 PM »

they're argumentations can causing acute headache, for people that does not have deeply knowledge about how dns works  ;D

You're right about that - which is why this has now moved to PM. I hope those who are trying to complete Sage on afraid.org can still figure out how to do that from this at-times contentious thread. It certainly can be done, no matter what you end up calling the method by which it is done.  ;D
Logged

swschulz

  • Newbie
  • *
  • Posts: 9
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #33 on: October 10, 2009, 09:36:22 PM »

Quick question for those who have made it through sage:

I currently have been working through the cert stages with a domain hosted at home.  That domain, abc.net, currently has two nameservers alpha.bravo.org and charlie.delta.com.  Both of those domain records are maintained at name.com who don't seem to support adding glue records.  On the other hand, abc.net is registered at GoDaddy, so I could easily add an IPv6 hostname to its record (e.g. ns1.abc.net) which could then have a glue record (if I understand the usage here correctly).

I wonder though if one can register a nameserver with only an IPv6 address?

Secondly, at this point the domain abc.net would have three nameservers.  Does the test check all three for glue records, or can I get past with only one?
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #34 on: October 10, 2009, 09:54:24 PM »

Yes.  You can register a host record with only IPv6.  I did it for mine.  Worked with the test too.

My setup also had two IPv4 only name servers, and one IPv6 only name server.  Sage worked.

I can't quite remember if I used my 2nd level domain, or a subdomain for the Sage test.  I think I used a subdomain.  But I added that name server to my 2nd level too, along with the glue record (which means I get queries over IPv6 for my domain sometimes).

(EDIT: to clarify, the IPv6 name server I added was named the same as the subdomain, and listed as the name server for both the subdomain, and as one of the servers for the parent 2nd level domain)
« Last Edit: October 10, 2009, 10:00:03 PM by jimb »
Logged

swschulz

  • Newbie
  • *
  • Posts: 9
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #35 on: October 12, 2009, 02:47:12 PM »

Thank you jimb... That did the trick.  I was getting confused by reading some of the posts in this thread, and was beginning to believe that these glue records were somehow different than the standard nameserver glue records.

Got mine added and waited for the he.net boxes to expire the old data, and now everything is golden.

I guess that feature is one more thing to consider when comparing domain name registrars.  I've emailed name.com in re: their support for IPv6 nameserver definitions, but have not yet received a response.  Guess I need to leave the nameservers on GD.

Again, many thanks for the quick clarification...

A Sage :)

Logged

deags

  • Newbie
  • *
  • Posts: 11
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #36 on: November 25, 2009, 05:32:13 PM »

Hi,
I think i have my setup correct just the test is not working?

http://network-tools.com/default.asp?prog=dnsrec&host=1.qld-rural.info

The domain i'm testing is 1.qld-rural.info

Entries at afraid.
   1.qld-rural.info (G)   NS   ns1.1.qld-rural.info
   1.qld-rural.info (G)   NS   ns2.1.qld-rural.info
   ns1.1.qld-rural.info (G)   A   60.241.215.178
   ns1.1.qld-rural.info (G)   AAAA   2001:0470:b8d9:0056:0000:0000:0000:000
   ns2.1.qld-rural.info (G)   A   204.42.254.5
   ns2.1.qld-rural.info (G)   AAAA   2001:418:3f4::5


The test is looking up the root nameservers?

Code: [Select]
NS Records: ns.1.qld-rural.info.
-TLD: info
-Server: b0.info.afilias-nst.org.
-Output: No Record
-Server: a2.info.afilias-nst.info.
-Output: No Record
-Server: b2.info.afilias-nst.org.
-Output: No Record
-Server: d0.info.afilias-nst.org.
-Output: No Record
-Server: a0.info.afilias-nst.info.
-Output: No Record
-Server: c0.info.afilias-nst.info.
-Output: No Record
1.qld-rural.info
1.qld-rural.info

Code: [Select]
# dig ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> ns1.1.qld-rural.info AAAA @ns1.1.qld-rural.info
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44138
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;ns1.1.qld-rural.info.          IN      AAAA

;; ANSWER SECTION:
ns1.1.qld-rural.info.   86400   IN      AAAA    2001:470:b8d9:56::1

;; AUTHORITY SECTION:
1.qld-rural.info.       86400   IN      NS      ns2.1.qld-rural.info.
1.qld-rural.info.       86400   IN      NS      ns1.1.qld-rural.info.

;; ADDITIONAL SECTION:
ns1.1.qld-rural.info.   86400   IN      A       60.241.215.178
ns2.1.qld-rural.info.   86400   IN      A       204.42.254.5
ns2.1.qld-rural.info.   86400   IN      AAAA    2001:418:3f4::5

;; Query time: 244 msec
;; SERVER: 60.241.215.178#53(60.241.215.178)
;; WHEN: Fri Nov 27 07:02:19 2009
;; MSG SIZE  rcvd: 158
« Last Edit: November 26, 2009, 08:03:02 PM by deags »
Logged

snarked

  • Hero Member
  • *****
  • Posts: 765
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #37 on: November 26, 2009, 12:21:01 PM »

OK, but why should "1.qld-rural.info" be listed at the ".info" name servers?

"qld-rural.info" is the domain for which the ".info" servers would list NS records.

"1.qld-rural.info" is properly listed at the "afraid.org" servers with a delegation that includes glue.  Since all 4 servers for "qld-rural.info" are NOT under ".info" (but are under the ".org" TLD), no glue is needed at that level.


PS:  I prefer the advanced interface:  http://network-tools.com/nslook/Default.asp

From "dig +trace":
Quote
.         518400 IN NS E.ROOT-SERVERS.NET.
.         518400 IN NS K.ROOT-SERVERS.NET.
.         518400 IN NS M.ROOT-SERVERS.NET.
.         518400 IN NS H.ROOT-SERVERS.NET.
.         518400 IN NS F.ROOT-SERVERS.NET.
.         518400 IN NS J.ROOT-SERVERS.NET.
.         518400 IN NS I.ROOT-SERVERS.NET.
.         518400 IN NS C.ROOT-SERVERS.NET.
.         518400 IN NS B.ROOT-SERVERS.NET.
.         518400 IN NS D.ROOT-SERVERS.NET.
.         518400 IN NS L.ROOT-SERVERS.NET.
.         518400 IN NS G.ROOT-SERVERS.NET.
.         518400 IN NS A.ROOT-SERVERS.NET.
;; Received 299 bytes from ::1#53(::1) in 39 ms

info.         172800 IN NS C0.INFO.AFILIAS-NST.info.
info.         172800 IN NS D0.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A0.INFO.AFILIAS-NST.info.
info.         172800 IN NS B2.INFO.AFILIAS-NST.ORG.
info.         172800 IN NS A2.INFO.AFILIAS-NST.info.
info.         172800 IN NS B0.INFO.AFILIAS-NST.ORG.
;; Received 448 bytes from 2001:500:2f::f#53(F.ROOT-SERVERS.NET) in 64 ms

qld-rural.info.      86400 IN NS ns1.qld-rural.info.
qld-rural.info.      86400 IN NS ns2.qld-rural.info.
qld-rural.info.      86400 IN NS ns3.qld-rural.info.
qld-rural.info.      86400 IN NS ns4.qld-rural.info.
;; Received 181 bytes from 2001:500:1b::1#53(C0.INFO.AFILIAS-NST.info) in 79 ms

1.qld-rural.info.   3600 IN   NS ns2.1.qld-rural.info.
1.qld-rural.info.   3600 IN   NS ns1.1.qld-rural.info.
;; Received 169 bytes from 67.19.72.206#53(ns1.qld-rural.info) in 43 ms

1.qld-rural.info.   86400 IN SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. (
            2009112501 ; serial
            28800      ; refresh (8 hours)
            7200       ; retry (2 hours)
            864000     ; expire (1 week 3 days)
            86400      ; minimum (1 day)
            )
1.qld-rural.info.   86400 IN NS ns1.1.qld-rural.info.
1.qld-rural.info.   86400 IN NS ns2.1.qld-rural.info.
;; Received 211 bytes from 2001:418:3f4::5#53(ns2.1.qld-rural.info) in 68 ms

SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns2.1.qld-rural.info in 345 ms.
SOA ns1.1.qld-rural.info. louis.1.qld-rural.info. 2009112501 28800 7200 864000 86400 from server ns1.1.qld-rural.info in 271 ms.
Noting that "ns[1-4].qld-rural.info" map to the same addresses as "ns[1-4].afraid.org."



« Last Edit: November 26, 2009, 12:30:04 PM by snarked »
Logged

dualarrow

  • Newbie
  • *
  • Posts: 1
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #38 on: March 11, 2012, 04:22:35 AM »

Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

You need think hard about what the glue is and how it's used. When you do this, you'll see you can use tunnelbroker's free DNS in conjunction with afraid to complete the test. It took me a day or 2 to wrap my brain around the solution, but it was worth it.

Andrew
Logged

onehalf3544

  • Newbie
  • *
  • Posts: 8
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #39 on: October 25, 2012, 11:03:53 AM »

Just in case anyone comes across this post and somehow thinks they can't complete SAGE if they have a domain on afraid.org, persist, as it can be done. I just completed SAGE.

Indeed! I have also just completed Sage test with domain from afraid.org. It all turned out to be very simple after some thinking and googling.
Sure it is much better (from the educational point of view) to setup a DNS server, but I had this done for Guru test, so I don't think I've missed anything (except paying the registrar for domain with a glue record of course =).
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #40 on: October 26, 2012, 03:13:18 AM »

I am curious how you pulled that off considering that none of the afraid.org DNS servers have an IPv6 address at all. Can you point me to a domain, where you made it work?
Logged

onehalf3544

  • Newbie
  • *
  • Posts: 8
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #41 on: October 26, 2012, 08:03:07 AM »

Actually ns1.afraid.org has AAAA record:
Code: [Select]
%host ns1.afraid.org | grep IPv6
ns1.afraid.org has IPv6 address 2607:f0d0:1102:d5::2
Domain used for test is onehalf3544.strangled.net
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #42 on: October 26, 2012, 11:03:20 AM »

Actually ns1.afraid.org has AAAA record
But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.

Domain used for test is onehalf3544.strangled.net
That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig command
Code: [Select]
dig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?
Logged

onehalf3544

  • Newbie
  • *
  • Posts: 8
Re: IPv6 glue test impossible with afraid.org domains?
« Reply #43 on: October 26, 2012, 12:06:51 PM »

Actually ns1.afraid.org has AAAA record
But ns1.afraid.org is not NS for afraid.org. So when you have ns1.afraid.org in your NS record, the resolver still has to lookup ns1.afraid.org, which means it will have to send the query to a NS for afraid.org, which is IPv4 only.
I agree.

Domain used for test is onehalf3544.strangled.net
That passed the test? I think that is a bug in the test then. I don't think there is any way that domain can possibly be resolved by an IPv6 only DNS resolver. I tested it out with this dig command
Code: [Select]
dig -6 +trace -t aaaa onehalf3544.strangled.netTo my surprise that actually succeeded in resolving the domain. But when I did a tcpdump to find out how it managed to pull that off, I found that dig actually still sent some DNS queries over IPv4. In particular the AAAA query for ns1.afraid.org was sent over IPv4 from dig to my ISPs recursive resolvers.

Does the certification use a buggy dig command behind the scenes?
Maybe their dig is buggy, but they don't even run it with "-6" option.
And their checks don't care about the entire chain - Guru test runs the following:
Code: [Select]
dig NS $domain
dig AAAA $NS
dig AAAA $domain @$nsAAAA

Sage test:
Code: [Select]
dig NS $domain
dig AAAA $ns @$tld_server

All those commands run successfully even with "-6" option.

But I agree that tests should be tweaked to check for ipv6-only reachability.
Logged
Pages: 1 2 [3]