• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Failed to get AAAA from MX or your DOMAIN

Started by ajsphila, August 15, 2009, 09:53:17 AM

Previous topic - Next topic

ajsphila

Hi,

When going through the reverse DNS check for the cert, I keep getting the 'Failed to get AAAA from MX or your DOMAIN' error.

What exactly is it trying to query?  I successfully got my email @lemon.ivy.net, and if I dig my reverse v6 address from various places around the internet, the delegation seems to work fine.

Quote[ajs@lazardo ~]$ dig -x 2001:470:1f07:b:210:5aff:fea7:e8 +trace

; <<>> DiG 9.3.4-P1 <<>> -x 2001:470:1f07:b:210:5aff:fea7:e8 +trace
;; global options:  printcmd
.         3600000   IN   NS   M.ROOT-SERVERS.NET.
.         3600000   IN   NS   A.ROOT-SERVERS.NET.
.         3600000   IN   NS   B.ROOT-SERVERS.NET.
.         3600000   IN   NS   C.ROOT-SERVERS.NET.
.         3600000   IN   NS   D.ROOT-SERVERS.NET.
.         3600000   IN   NS   E.ROOT-SERVERS.NET.
.         3600000   IN   NS   F.ROOT-SERVERS.NET.
.         3600000   IN   NS   G.ROOT-SERVERS.NET.
.         3600000   IN   NS   H.ROOT-SERVERS.NET.
.         3600000   IN   NS   I.ROOT-SERVERS.NET.
.         3600000   IN   NS   J.ROOT-SERVERS.NET.
.         3600000   IN   NS   K.ROOT-SERVERS.NET.
.         3600000   IN   NS   L.ROOT-SERVERS.NET.
;; Received 228 bytes from 207.245.82.2#53(207.245.82.2) in 4 ms

ip6.arpa.      172800   IN   NS   NS-SEC.RIPE.NET.
ip6.arpa.      172800   IN   NS   NS2.LACNIC.NET.
ip6.arpa.      172800   IN   NS   TINNIE.ARIN.NET.
ip6.arpa.      172800   IN   NS   NS.ICANN.ORG.
ip6.arpa.      172800   IN   NS   SEC1.APNIC.NET.
;; Received 221 bytes from 2001:dc3::35#53(M.ROOT-SERVERS.NET) in 88 ms

0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns3.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns5.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns2.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns4.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns1.he.net.
;; Received 186 bytes from 2001:610:240:0:53::4#53(NS-SEC.RIPE.NET) in 92 ms

b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS lemon.ivy.net.
;; Received 117 bytes from 2001:470:300::2#53(ns3.he.net) in 83 ms

8.e.0.0.7.a.e.f.f.f.a.5.0.1.2.0.b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 86400   IN PTR lemon.ivy.net.
b.0.0.0.7.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 86400   IN NS lemon.ivy.net.
;; Received 175 bytes from 2001:470:1f07:b:210:5aff:fea7:e8#53(lemon.ivy.net) in 32 ms


kriteknetworks

dig your_domain MX, see if it gets an AAAA record.

dataless

#2
I don't see an MX for lemon.ivy.net (I'm assuming you are wanting to use someone@lemon.ivy.net for the test).

The MX for ivy.net doesn't have an AAAA record, but I'm assuming that's why you were using lemon.ivy.net instead.

[root@jet ~]# dig lemon.ivy.net MX

; <<>> DiG 9.3.4-P1 <<>> lemon.ivy.net MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22225
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;lemon.ivy.net.                 IN      MX

;; AUTHORITY SECTION:
ivy.net.                900     IN      SOA     castrovalva.ivy.net. carton.ivy.net. 269 2400 960 3456000 900

;; Query time: 168 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:18 2009
;; MSG SIZE  rcvd: 86

[root@jet ~]# dig ivy.net MX

; <<>> DiG 9.3.4-P1 <<>> ivy.net MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25393
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;ivy.net.                       IN      MX

;; ANSWER SECTION:
ivy.net.                72000   IN      MX      10 sakima.ivy.net.

;; AUTHORITY SECTION:
ivy.net.                72000   IN      NS      ns.aculei.net.
ivy.net.                72000   IN      NS      ns-castrovalva.ivy.net.

;; ADDITIONAL SECTION:
sakima.ivy.net.         72000   IN      A       69.31.131.60

;; Query time: 130 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:45 2009
;; MSG SIZE  rcvd: 117

[root@jet ~]# dig sakima.ivy.net AAAA

; <<>> DiG 9.3.4-P1 <<>> sakima.ivy.net AAAA
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2556
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sakima.ivy.net.                        IN      AAAA

;; AUTHORITY SECTION:
ivy.net.                900     IN      SOA     castrovalva.ivy.net. carton.ivy.net. 269 2400 960 3456000 900

;; Query time: 78 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 15 21:39:51 2009
;; MSG SIZE  rcvd: 87

dstest01

Hi,

i've the same problem (or at least got the same error message), but i can't see anything wrong with my MX record.

# dig @2001:470:20::2 six.trds.de mx

; <<>> DiG 9.4.3-P3 <<>> @2001:470:20::2 six.trds.de mx
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35035
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;six.trds.de.                   IN      MX

;; ANSWER SECTION:
six.trds.de.            60      IN      MX      10 helios.six.trds.de.

;; ADDITIONAL SECTION:
helios.six.trds.de.     60      IN      AAAA    2001:470:1f0b:751::101

;; Query time: 88 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Thu Sep 10 15:54:02 2009
;; MSG SIZE  rcvd: 80


Result is the same for two other public DNS servers i tested. The only problem i could imagine is the nameserver for trds.de, which is IPv4 only (beyond my control), but as the webserver test worked fine, i'm really wondering...

Any suggestions?

maestroevolution

You need to add an 'A' record for your nameservers for that test to pass.

(I know, I know.  It's an IPv6 test, and your nameservers may be IPv6 only).

I created a pseudo-dummy A record for my nameservers, and it passed (although it did take a few clicks o the 'submit' button ... I think that HE's nameservers try IPv4 connectivity first)

Joel

joel@maestro:~$ dig @74.82.42.42 ns six.trds.de

; <<>> DiG 9.5.1-P2 <<>> @74.82.42.42 ns six.trds.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2467
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;six.trds.de.         IN   NS

;; ANSWER SECTION:
six.trds.de.      53   IN   NS   ns1.six.trds.de.

;; ADDITIONAL SECTION:
ns1.six.trds.de.   53   IN   AAAA   2001:470:1f0b:751::53

;; Query time: 61 msec
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: Fri Sep 11 13:30:43 2009
;; MSG SIZE  rcvd: 75

joel@maestro:~$ dig @74.82.42.42 a ns1.six.trds.de

; <<>> DiG 9.5.1-P2 <<>> @74.82.42.42 a ns1.six.trds.de
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53161
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.six.trds.de.      IN   A

;; Query time: 68 msec
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: Fri Sep 11 13:31:08 2009
;; MSG SIZE  rcvd: 33

joel@maestro:~$

kriteknetworks

Registrars will accept registering a name server with ipv6 only?

dstest01

Quote from: maestroevolution on September 11, 2009, 11:33:23 AM
You need to add an 'A' record for your nameservers for that test to pass.

[...]

You're right, it worked by hacking in my (non-static) IPv4 address as second nameserver. Rushed through until the sage test, but felt like cheating... ;)

maestroevolution

Quote from: dstest01 on September 12, 2009, 01:35:24 AM
Quote from: maestroevolution on September 11, 2009, 11:33:23 AM
You need to add an 'A' record for your nameservers for that test to pass.

[...]

You're right, it worked by hacking in my (non-static) IPv4 address as second nameserver. Rushed through until the sage test, but felt like cheating... ;)

I felt the same way.  Of course, I also though it was silly that it checks for IPv4 addresses on an IPv6 test.

maestroevolution

Quote from: kriteknetworks on September 11, 2009, 01:35:59 PM
Registrars will accept registering a name server with ipv6 only?

This wasn't a registrar delegation of a domain.  This was the sub-delegation of the PTR records from HE to your DNS server.

Apparently that test defaults to using IPv4 connectivity to your DNS server.  As I never intended that server to be reachable via IPv4 (because if you want PTR records for IPv6, you should be speaking IPv6), I originally created a AAAA record for it.  For this test, if there's no 'A' record for your IPv6 DNS server, the test fails.  If there is an A record, it'll try, fail, then try a AAAA lookup, and succeed.

Kinda a quirk of the test...  I would prefer it to prefer IPv6 transport to your DNS server by querying for AAAA first... but hey, I passed.

Joel