[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ipv6-wg@ripe.net] 2.0.0.2.ip6.arpa broken

To: Daniel Roesen <dr@cluenet.de>
Subject: Re: [ipv6-wg@ripe.net] 2.0.0.2.ip6.arpa broken
From: Lee Wilmot <lee@ripe.net>
Date: Tue, 17 Aug 2004 11:29:19 +0200
Cc: v6ops@ops.ietf.org, ipv6-wg@ripe.net
In-reply-to: Your message of Mon, 16 Aug 2004 20:51:11 +0200. <20040816185111.GA19433@srv01.cluenet.de>
References: <20040816185111.GA19433@srv01.cluenet.de>

Hi Daniel,

<SNIP>

 * $ dig ip6.arpa. NS @a.root-servers.net. +short
 * NS.APNIC.NET.
 * NS.ICANN.ORG.
 * NS.RIPE.NET.
 * TINNIE.ARIN.NET.
 * $ dig ip6.arpa. NS @ns.ripe.net +short
 * ns.apnic.net.
 * ns.icann.org.
 * ns-sec.ripe.net.
 * tinnie.arin.net.
 * 
 * NS RRset in zone ip6.arpa is not matching the NS RRset for ip6.arpa in
 * the root zone.

Ah, that's a glaring problem. I wondered where you had seen
ns-sec.ripe.net referenced. We asked the primary operator for ip6.arpa
to move ns.ripe.net -> ns-sec.ripe.net a while ago, apparently they
didn't notify the parent zone primary. We've sent them a reminder.

In a previous post you mentioned:

* ns.isi.edu is now authoritative again for int., but
* ns.ripe.net is still not in the delegation NS RRset within the
* root zone, albeit being listed in the NS RRset of the int. zone.

Coincidentally, a few days ago we requested that the primary operator
for int change the server ns.ripe.net -> ns-sec.ripe.net (and notify
their parent...)

 * ns.ripe.net != ns-sec.ripe.net by IP address, but still both are auth
 * for 2.0.0.2.ip6.arpa:
 * 
 * $ dig @ns.ripe.net. 2.0.0.2.ip6.arpa. SOA +norec +short
 * master.apnic.net. dns-admin.apnic.net. 2004072901 7200 1800 604800 172800
 * $ dig @ns-sec.ripe.net. 2.0.0.2.ip6.arpa. SOA +norec +short
 * master.apnic.net. dns-admin.apnic.net. 2004072901 7200 1800 604800 172800
 * 
 * So the relevance is given, no matter why ns-sec gets involved (because
 * the in-zone NS RRset overwrites the NS RRset from the roots in caches).
 * 
 * I think it would be a good idea[tm] to remove the 2.0.0.2.ip6.arpa
 * zone from ns.ripe.net and ns-sec.ripe.net if you don't intend to
 * publish the zone...

We've temporarily moved the zone to a different machine prior to
delegation so you should get NXDOMAIN going via the roots.
APNIC will update the ns-ripe.6to4.nro.net record as they are
running the primary for 6to4.nro.net.

Finally, we've notified ARIN that tinnie.arin.net is not reachable
over v6 and that it's presenting the 2.0.0.2.ip6.arpa zone due to
also running ip6.arpa.

Thanks very much for your problem reports!

Lee Wilmot
RIPE NCC

References:
- Re: [ipv6-wg@ripe.net] 2.0.0.2.ip6.arpa broken
  - From: Daniel Roesen <dr@cluenet.de>

Prev by Date: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by Date: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Previous by thread: Re: [ipv6-wg@ripe.net] 2.0.0.2.ip6.arpa broken
Next by thread: Re: 9/9/2004 IP6.INT Removal (Was: 9/9/2006 : ip6.int shutdown?)
Index(es):
- Date
- Thread