• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

stuck at ipv6 glue test

Started by Internex, May 16, 2010, 04:11:01 PM

Previous topic - Next topic

Internex

Hi everyone.
I am passing ipv6 certificate program , but I am stuck at IPv6 glue test , I have set the IPv6 glue record for our domain (bbvps.com) , but test is not detecting it , look at dig result :

bbvps:/var/www# dig @l.gtld-servers.net bbvps.com

; <<>> DiG 9.5.1-P3 <<>> @l.gtld-servers.net bbvps.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15954
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bbvps.com.                     IN      A

;; AUTHORITY SECTION:
bbvps.com.              172800  IN      NS      ns1.bbvps.com.
bbvps.com.              172800  IN      NS      ns2.bbvps.com.
bbvps.com.              172800  IN      NS      ns201.bbvpsdns.com.
bbvps.com.              172800  IN      NS      ns4.bbvps.com.
bbvps.com.              172800  IN      NS      ns5.bbvps.com.

;; ADDITIONAL SECTION:
ns1.bbvps.com.          172800  IN      A       216.155.151.5
ns2.bbvps.com.          172800  IN      A       174.37.196.55
ns201.bbvpsdns.com.     172800  IN      AAAA    2001:470:1f06:25a::2
ns4.bbvps.com.          172800  IN      A       204.42.254.5
ns5.bbvps.com.          172800  IN      A       195.234.42.1

;; Query time: 8 msec
;; SERVER: 192.41.162.30#53(192.41.162.30)
;; WHEN: Sun May 16 18:44:12 2010
;; MSG SIZE  rcvd: 220

as it is very obvious in additional section we have a IPv6 glue record for ns201.bbvpsdns.com
any ideas ?

Best Regards

jimb

#1
Sometimes the HE DNS servers take a bit of time to pick up changes like this, typically due to negative caching.  Wait a bit and try again.

EDIT: your ns201 server is out of baliwick for your main domain, but I don't think that matters in the test.

Internex

It is the response I received from he.net support :

---------------------------------------------------------------------------
Hi,

Thanks for your participation in our IPv6 Certification Program.

In Sage level, we check to see if your domain's authoritative NS have
IPv6 glue with their listed TLD servers.

We use the following methods to check IPv6 glue:
1. dig +trace ns $domain to get the TLD server list
2. dig aaaa $ns @TLD for the glue

I've manually checked your domain's authoritative NS and did not see
IPv6 glue with their listed TLD server.

See the following result:

:~$ dig NS www.bbvps.com +trace

; <<>> DiG 9.4.2-P2.1 <<>> NS www.bbvps.com +trace
;; global options:  printcmd
.                       54232   IN      NS      j.root-servers.net.
.                       54232   IN      NS      b.root-servers.net.
.                       54232   IN      NS      f.root-servers.net.
.                       54232   IN      NS      g.root-servers.net.
.                       54232   IN      NS      e.root-servers.net.
.                       54232   IN      NS      k.root-servers.net.
.                       54232   IN      NS      l.root-servers.net.
.                       54232   IN      NS      i.root-servers.net.
.                       54232   IN      NS      c.root-servers.net.
.                       54232   IN      NS      m.root-servers.net.
.                       54232   IN      NS      a.root-servers.net.
.                       54232   IN      NS      d.root-servers.net.
.                       54232   IN      NS      h.root-servers.net.
;; Received 497 bytes from 127.0.0.1#53(127.0.0.1) in 33 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 494 bytes from 2001:500:1::803f:235#53(h.root-servers.net)
in 67 ms

bbvps.com.              172800  IN      NS      ns1.bbvps.com.
bbvps.com.              172800  IN      NS      ns2.bbvps.com.
bbvps.com.              172800  IN      NS      ns201.bbvpsdns.com.
bbvps.com.              172800  IN      NS      ns4.bbvps.com.
bbvps.com.              172800  IN      NS      ns5.bbvps.com.
;; Received 224 bytes from 192.35.51.30#53(f.gtld-servers.net) in 14 ms

www.bbvps.com.          3600    IN      CNAME   bbvps.com.
bbvps.com.              3600    IN      NS      ns2.bbvps.com.
bbvps.com.              3600    IN      NS      ns1.bbvps.com.
bbvps.com.              3600    IN      NS      ns201.bbvpsdns.com.
bbvps.com.              3600    IN      NS      ns4.bbvps.com.
bbvps.com.              3600    IN      NS      ns5.bbvps.com.
;; Received 238 bytes from 204.42.254.5#53(ns4.bbvps.com) in 51 ms

:~$ dig NS com | grep AAAA
a.gtld-servers.net.     64204   IN      AAAA    2001:503:a83e::2:30

:~$ dig AAAA ns2.bbvps.com @2001:503:a83e::2:30 +short
<No Answer>
:~$ dig AAAA ns1.bbvps.com @2001:503:a83e::2:30 +short
<No Answer>
:~$ dig AAAA ns201.bbvpsdns.com @2001:503:a83e::2:30 +short
<No Answer>
:~$ dig AAAA ns4.bbvps.com @2001:503:a83e::2:30 +short
<No Answer>
:~$ dig AAAA ns5.bbvps.com @2001:503:a83e::2:30 +short
<No Answer>

If you have questions, please let us know.

Regards,
Tae Kim
Hurricane Electric
AS6939

--------------------------------------------------------------------

but I dont think it is the correct method to check glue records , the correct method is :

bbvps:~# dig NS bbvps.com @a.gtld-servers.net | grep AAAA
ns201.bbvpsdns.com.     172800  IN      AAAA    2001:470:1f06:25a::2

the method which he.net support has provided even doesnt work for their own domain :
bbvps:~# dig AAAA ns2.he.net @2001:503:a83e::2:30 +short
<No Answer>

the correct method is :
bbvps:~# dig NS he.net @a.gtld-servers.net | grep AAAA
ns2.he.net.             172800  IN      AAAA    2001:470:200::2
ns3.he.net.             172800  IN      AAAA    2001:470:300::2
ns4.he.net.             172800  IN      AAAA    2001:470:400::2
ns5.he.net.             172800  IN      AAAA    2001:470:500::2

and here you go , all glue records are set.

broquea

#3
We don't use the +short since that wouldn't return the additional section. I'm looking into this.

-----EDIT-----

dig AAAA ns201.bbvpsdns.com @2001:503:a83e::2:30


Returns no result in the Additional section. This is because the NS authoritative for the domain you used out of baliwick aren't on v6, and that host isn't listed as a nameserver for that out of baliwick domain.

dig AAAA ns2.he.net @2001:503:a83e::2:30


Does return results in the Additional section.

The test checks for results when querying the TLDs for each NS entry listed.

Internex

Thank you for your reply.

all these trouble comes from enom which doesnt support ipv6 glues , so I can not set ipv6 glues for ns1.bbvps.com or etc , so I had to use our another domain (bbvpsdns.com) to set the glue record for bbvps.com

The reason that "dig AAAA ns201.bbvpsdns.com @2001:503:a83e::2:30" doesn't return its glue record in additional section is that its nameservers are not in bbvpsdns.com zone , name servers are located on a different zone (answerable.com).
but this is a wrong method to check glue records , ns201.bbvpsdns.com is set as a glue record for bbvps.com , so we should query bbvps.com NS records , not ns201.bbvpsdns.com itself :

bbvps:~# dig NS bbvps.com @2001:503:a83e::2:30

; <<>> DiG 9.5.1-P3 <<>> NS bbvps.com @2001:503:a83e::2:30
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13671
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bbvps.com.                     IN      NS

;; AUTHORITY SECTION:
bbvps.com.              172800  IN      NS      ns1.bbvps.com.
bbvps.com.              172800  IN      NS      ns2.bbvps.com.
bbvps.com.              172800  IN      NS      ns201.bbvpsdns.com.
bbvps.com.              172800  IN      NS      ns4.bbvps.com.
bbvps.com.              172800  IN      NS      ns5.bbvps.com.

;; ADDITIONAL SECTION:
ns1.bbvps.com.          172800  IN      A       216.155.151.5
ns2.bbvps.com.          172800  IN      A       174.37.196.55
ns201.bbvpsdns.com.     172800  IN      AAAA    2001:470:1f06:25a::2
ns4.bbvps.com.          172800  IN      A       204.42.254.5
ns5.bbvps.com.          172800  IN      A       195.234.42.1

;; Query time: 3 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Mon May 17 05:57:22 2010
;; MSG SIZE  rcvd: 220

and here you go ! registrar dns server ( 2001:503:a83e::2:30 ) returned ns201.bbvpsdns.com as a glue record ( ns201.bbvpsdns.com.     172800  IN      AAAA    2001:470:1f06:25a::2 )
and thats the definition of a glue record.
I am sure all DNS experts will agree with me.

jimb

#5
Quote from: broquea on May 17, 2010, 02:32:27 AM
We don't use the +short since that wouldn't return the additional section. I'm looking into this.

-----EDIT-----

dig AAAA ns201.bbvpsdns.com @2001:503:a83e::2:30


Returns no result in the Additional section. This is because the NS authoritative for the domain you used out of baliwick aren't on v6, and that host isn't listed as a nameserver for that out of baliwick domain.
Hrm.  I'm confused.  Must the actual parent domain's name server's use v6 transport for the Sage test to succeed?  I used a domain in the .cc domain with an in baliwick name server (ns.example.cc), and as far as I can see, none of the .cc TLD name servers have IPv6 addresses, but of course do return a AAAA glue record for my name server when queried directly (over IPv4).

I was able to do sage.

EDIT:  Although, now that I think about it, I used a subdomain of my .cc domain for the tests (i.e. ipv6.example.cc), and listed a name server with a name identical to the subdomain itself as a name server for the subdomain, then included a AAAA in the parent domain for it (in example.com zone, ipv6.example.cc IN NS ipv6.example.cc. ... ipv6.example.cc IN AAAA <ipv6 address>), as well as listing a host record for the NS in the TLD.  That's probably why it worked I guess.  Because I created a 3rd NS for my .cc domain which happened to have the same name as the subdomain I was using for the tests.

If I would have created the name server inside the subdomain itself, (i.e. ns.ipv6.example.cc), and created a glue record in the parent domain (example.cc), I'm not sure if it would have still passed sage or not.  That would depend if the sage test code would query my parent domain's NS which obviously isn't a TLD NS, and been happy with getting a glue record in that result.  I'm unclear on whether the HE test insists that the glue record live on a TLD NS or not.

Internex

why there is no response from he.net ?

jimb

#7
Quote from: Internex on May 17, 2010, 03:13:57 AM
and here you go ! registrar dns server ( 2001:503:a83e::2:30 ) returned ns201.bbvpsdns.com as a glue record ( ns201.bbvpsdns.com.     172800  IN      AAAA    2001:470:1f06:25a::2 )
and thats the definition of a glue record.
I am sure all DNS experts will agree with me.
This seems to be a matter of definitions.  Since your name server is returned by the .com TLD name servers in the additional section, you say 'hey, that's an glue record for a name server in my "bbvps.com" domain!'

HE's test looks at it as a name server for your "bbvps.com" domain that is out of baliwick, and therefor doesn't count it as glue, since it's in a separate domain.  It looks for glue in that domain, and doesn't find it.  It won't be happy unless it finds a glue record for "ns201.bbvpsdns.com" on a .com TLD name server when querying for the name of a server listed as name server for "bbvpsdns.com".

So one thing you could do is make "ns201.bbvpsdns.com" a name server for the "bbvpsdns.com" domain (in addition to the answerable.com name servers), and register a host (glue) record at your registrar for it.  Then, queries for that name server's AAAA on any of the TLD's name servers should return a glue record in the "Additional" section.

I'm pretty sure that would make the sage test happy (not positive though).  :)

SS6344

hi there,

sorry for dumb questions (i thought i understood dns a decade ago, but ...)

I'm running into the very same problem. I've recently started to add ipv6 addresses to some of our services. My nameservers (ns1.netz-haut.net / ns2.netz-haut.net) are now also reachable via ipv6. I've also added the ipv6 ip's for them as AAAA records, also PTRs are set, but thits isn't the point.
The registrar's interface let me choose nameservers, so I've verifed it, but I think these records are ok, as the point to "ns1.netz-haut.net" and "ns2.netz-haut.net". As far as I understood, It's my task to add ipv6 glue for the netz-haut.net domain, but both nameservers do have ipv4 as well as ipv6 adresses, and the registrars interface only offers me names (not ip's).
Is there anything I've done wrong?

Thanks for any suggestions!

kriteknetworks

Contact your registrar, and ask them if they/how to add ipv6 IPs to the *existing* name servers you've registered. Not all registrars support this. Good luck.

snarked

ns201.bbvpsdns.com's AAAA is NOT a glue record to zone bbvps.com.  That's why the test fails.

Why is it not a glue record?  Because it's OUTSIDE the zone.
("jimb" in reply #1 is wrong - it does matter.)

snarked

RE: Reply #8 by "SS6344":  There should be another section at the registrar where you may define your name server's addresses (sometimes called "define host").  That's where you should input the IPv6 addresses for your name servers.

jimb

Quote from: snarked on May 31, 2010, 12:25:27 PM
ns201.bbvpsdns.com's AAAA is NOT a glue record to zone bbvps.com.  That's why the test fails.

Why is it not a glue record?  Because it's OUTSIDE the zone.
("jimb" in reply #1 is wrong - it does matter.)
I vaguely remembered that they allowed out of bailiwick name servers in the glue test, but perhaps not?

SS6344

Thanks for the response,

I've opened a ticket, but I assume my registrar doesn't support it... I'll see ;)