• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problem with RDNS test?

Started by maestroevolution, August 29, 2009, 09:56:09 PM

Previous topic - Next topic

maestroevolution

All,

Is there a problem with the RDNS test, or can we get more verbose output on what it thinks is the problem?

I'm assuming it correctly remembers the domain from the mail and html tests, as there's no input for it, nor output of what it's testing.

For the tachyon6.net domain, and querying the anycast DNS server provided by HE:

netadmin@sirius:~$ dig mx tachyon6.net @2001:470:20::2 +short
10 barnard.tachyon6.net.
0 barnard.tachyon6.net.
netadmin@sirius:~$ dig aaaa barnard.tachyon6.net @2001:470:20::2 +short
2001:470:1f11:1ee:0:1:0:1919
netadmin@sirius:~$ dig -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:20::2 +short
barnard.tachyon6.net.

I looked at my firewall logs (which log both permit and denies for this), and nothing is querying my dns server directly.

I set this up more than a week ago and finally got around to posting, so it's not a caching issue.

Thoughts?


kriteknetworks

I don't remember, does the rdns test rely on mx?

dig aaaa @2001:470:20::2 tachyon6.net +short

returns nothing.

jimb

#2
Works for me here:

; <<>> DiG 9.4.3-P1 <<>> -x 2001:470:1f11:1ee:0:1:0:1919
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31237
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;9.1.9.1.0.0.0.0.1.0.0.0.0.0.0.0.e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
9.1.9.1.0.0.0.0.1.0.0.0.0.0.0.0.e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN PTR barnard.tachyon6.net.

;; AUTHORITY SECTION:
e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN NS sirius.

;; Query time: 1230 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Aug 30 07:30:39 2009
;; MSG SIZE  rcvd: 144


Here's a trace:

; <<>> DiG 9.4.3-P1 <<>> -x 2001:470:1f11:1ee:0:1:0:1919 +trace
;; global options:  printcmd
.                       420064  IN      NS      I.ROOT-SERVERS.NET.
.                       420064  IN      NS      J.ROOT-SERVERS.NET.
.                       420064  IN      NS      L.ROOT-SERVERS.NET.
.                       420064  IN      NS      G.ROOT-SERVERS.NET.
.                       420064  IN      NS      B.ROOT-SERVERS.NET.
.                       420064  IN      NS      A.ROOT-SERVERS.NET.
.                       420064  IN      NS      E.ROOT-SERVERS.NET.
.                       420064  IN      NS      F.ROOT-SERVERS.NET.
.                       420064  IN      NS      D.ROOT-SERVERS.NET.
.                       420064  IN      NS      C.ROOT-SERVERS.NET.
.                       420064  IN      NS      M.ROOT-SERVERS.NET.
.                       420064  IN      NS      H.ROOT-SERVERS.NET.
.                       420064  IN      NS      K.ROOT-SERVERS.NET.
;; Received 512 bytes from 192.168.0.3#53(192.168.0.3) in 13 ms

ip6.arpa.               172800  IN      NS      NS-SEC.RIPE.NET.
ip6.arpa.               172800  IN      NS      TINNIE.ARIN.NET.
ip6.arpa.               172800  IN      NS      NS.ICANN.ORG.
ip6.arpa.               172800  IN      NS      NS2.LACNIC.NET.
ip6.arpa.               172800  IN      NS      SEC1.APNIC.NET.
;; Received 221 bytes from 2001:503:ba3e::2:30#53(A.ROOT-SERVERS.NET) in 16 ms

0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns3.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns5.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns2.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns4.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800 IN      NS      ns1.he.net.
;; Received 186 bytes from 2001:610:240:0:53::4#53(NS-SEC.RIPE.NET) in 161 ms

e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS sirius.tachyon6.net.
;; Received 123 bytes from 2001:470:400::2#53(ns4.he.net) in 101 ms

9.1.9.1.0.0.0.0.1.0.0.0.0.0.0.0.e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN PTR barnard.tachyon6.net.
e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN NS sirius.
;; Received 144 bytes from 2001:470:1f11:1ee:0:1:0:3535#53(sirius.tachyon6.net) in 174 ms


I did notice that lame delegation on sirius though (bolded above).  This could be causing the test to fail even though it seems to ultimately resolve for me.  You need to specify a FQDN for your NS record there.

Verified here:

; <<>> DiG 9.4.3-P1 <<>> @sirius.tachyon6.net e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56390
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN NS

;; ANSWER SECTION:
e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN NS sirius.

;; Query time: 180 msec
;; SERVER: 2001:470:1f11:1ee:0:1:0:3535#53(2001:470:1f11:1ee:0:1:0:3535)
;; WHEN: Sun Aug 30 07:42:46 2009
;; MSG SIZE  rcvd: 78


Too bad you have your TTL set for seven days on that NS though.  Might take HE (and everyone else) a while to time that out even after you fix that NS record.   :P

Also, an MX record has nothing to do with RDNS.


maestroevolution

Quote from: jimb on August 30, 2009, 07:37:32 AM
Works for me here:

I did notice that lame delegation on sirius though (bolded above).  This could be causing the test to fail even though it seems to ultimately resolve for me.  You need to specify a FQDN for your NS record there.
[snip]

Too bad you have your TTL set for seven days on that NS though.  Might take HE (and everyone else) a while to time that out even after you fix that NS record.   :P
[snip]
Also, an MX record has nothing to do with RDNS.


Thanks for the input.  I'm not doing any sub-delegation from what HE delegates to me, but I'll double-check the zone files and fully qualify anything for that.

TTL was at BIND9's default... normally that would be fine, but I'll give it a shot.

I know an MX record has nothing to do with RDNS, but it *does* have everything to do with this test, as it's checking for reverse DNS for your mail server.

Thanks again,

Joel

jimb

Lame delegation wasn't the right term I guess, since you're not delegating it.  Just a bad NS record on your server.

maestroevolution

Well, I updated the ns record to be FQDN and I see it on the primary NS server, but I still get the "Your MX does not have valid RDNS" when I check it.

joel@maestro:~$ dig mx tachyon6.net @2001:470:20::2 +short
10 barnard.tachyon6.net.
0 barnard.tachyon6.net.
joel@maestro:~$ dig aaaa barnard.tachyon6.net @2001:470:20::2 +short
2001:470:1f11:1ee:0:1:0:1919
joel@maestro:~$ dig -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:20::2 +short
barnard.tachyon6.net.
joel@maestro:~$ dig -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:20::2 +trace

; <<>> DiG 9.5.1-P2 <<>> -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:20::2 +trace
;; global options:  printcmd
.         3591667   IN   NS   d.root-servers.net.
.         3591667   IN   NS   j.root-servers.net.
.         3591667   IN   NS   f.root-servers.net.
.         3591667   IN   NS   a.root-servers.net.
.         3591667   IN   NS   m.root-servers.net.
.         3591667   IN   NS   i.root-servers.net.
.         3591667   IN   NS   g.root-servers.net.
.         3591667   IN   NS   k.root-servers.net.
.         3591667   IN   NS   e.root-servers.net.
.         3591667   IN   NS   c.root-servers.net.
.         3591667   IN   NS   h.root-servers.net.
.         3591667   IN   NS   b.root-servers.net.
.         3591667   IN   NS   l.root-servers.net.
;; Received 512 bytes from 2001:470:20::2#53(2001:470:20::2) in 108 ms

ip6.arpa.      172800   IN   NS   SEC1.APNIC.NET.
ip6.arpa.      172800   IN   NS   NS-SEC.RIPE.NET.
ip6.arpa.      172800   IN   NS   TINNIE.ARIN.NET.
ip6.arpa.      172800   IN   NS   NS.ICANN.ORG.
ip6.arpa.      172800   IN   NS   NS2.LACNIC.NET.
;; Received 221 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 167 ms

0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns2.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns1.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns5.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns4.he.net.
0.7.4.0.1.0.0.2.ip6.arpa. 10800   IN   NS   ns3.he.net.
;; Received 186 bytes from 2001:610:240:0:53::4#53(NS-SEC.RIPE.NET) in 205 ms

e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS sirius.tachyon6.net.
;; Received 123 bytes from 2001:470:400::2#53(ns4.he.net) in 127 ms

9.1.9.1.0.0.0.0.1.0.0.0.0.0.0.0.e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN PTR   barnard.tachyon6.net.
e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 604800 IN NS sirius.tachyon6.net.
;; Received 173 bytes from 2001:470:1f11:1ee:0:1:0:3535#53(sirius.tachyon6.net) in 2 ms

joel@maestro:~$

However, I noticed I do get SERVFAILS from HE's ns2 server:  it can't resolve anything, and won't do recursion to validate anything.

NS2 seems to have issues, or is configured to be internal only to HE.

joel@maestro:~$ dig mx tachyon6.net @2001:470:200::2

; <<>> DiG 9.5.1-P2 <<>> mx tachyon6.net @2001:470:200::2
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39495
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;tachyon6.net.         IN   MX

;; Query time: 163 msec
;; SERVER: 2001:470:200::2#53(2001:470:200::2)
;; WHEN: Mon Aug 31 00:10:51 2009
;; MSG SIZE  rcvd: 30

joel@maestro:~$ dig aaaa barnard.tachyon6.net @2001:470:200::2

; <<>> DiG 9.5.1-P2 <<>> aaaa barnard.tachyon6.net @2001:470:200::2
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4537
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;barnard.tachyon6.net.      IN   AAAA

;; Query time: 163 msec
;; SERVER: 2001:470:200::2#53(2001:470:200::2)
;; WHEN: Mon Aug 31 00:11:11 2009
;; MSG SIZE  rcvd: 38

joel@maestro:~$ dig -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:200::2

; <<>> DiG 9.5.1-P2 <<>> -x 2001:470:1f11:1ee:0:1:0:1919 @2001:470:200::2
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27730
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;9.1.9.1.0.0.0.0.1.0.0.0.0.0.0.0.e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR

;; AUTHORITY SECTION:
e.e.1.0.1.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 4900 IN NS sirius.tachyon6.net.

;; Query time: 165 msec
;; SERVER: 2001:470:200::2#53(2001:470:200::2)
;; WHEN: Mon Aug 31 00:11:18 2009
;; MSG SIZE  rcvd: 123

joel@maestro:~$