dig question on IPv6 NAT64 translator

App & System Services Networking
ingenio0001 OP
Created Jul ’16
Replies 1
Boosts 0
Views 895
Participants 2

Hi we have a rejected app, possibly due to IPv6 not being well supported in our app. The page never loads and suspect it is DNS related. Its a bug that cannot be replicated in our labs but is always present in the app review lab. our servers are IPv4 and would like to know if this is a potential configuration problem.


when I run


dig m.espacejeux.com AAAA +nocmd +nostats

; <<>> DiG 9.8.3-P1 <<>> m.espacejeux.com AAAA +nocmd +nostats

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43981

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;m.espacejeux.com. IN AAAA

;; ANSWER SECTION:

m.espacejeux.com. 7081 IN CNAME m.lp.espacejeux.com.


I get a CNAME entry when querying for a AAAA record, will this record make queries go to the NAT64 translator ? or it is absolutely necessary to have 0 records when querying in order to pass through the NAT64 translator ?

Replies  1
Boosts  0
Views  895
Participants  2
DTS Engineer OP
Apple
Jul ’16

Section 5.1.5 of RFC 6147 is pretty clear here: the DNS64/NAT64 gateway should follow a 

CNAME
and independently resolve that name to see if it gets back an 
AAAA
record.

I don’t know for sure whether the App Review DNS64/NAT64 gateway complies with this requirement but I suspect that I’d have heard about it if it didn’t. Regardless, you can check this in various ways:

  • change your DNS to remove the 

    CNAME

  • change your code to use the canonical name

  • if the previous change is too much impact, add a specific test for this case to your code that shows an error that your users (including App Review) will recognise

Is 

lp.espacejeux.com.
supposed to be a different zone from 
espacejeux.com.
? The reason I ask is that I’m seeing some weird results there. Consider this sequence: 
$ # Start at the root.
$
$ dig +norecurse @$rootns m.lp.espacejeux.com. aaaa

…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54187
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;m.lp.espacejeux.com.      IN  AAAA

;; AUTHORITY SECTION:
com.            172800  IN  NS  a.gtld-servers.net.
…
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A  192.5.6.30
…
$ # Ask .com.
$
$ dig +norecurse @192.5.6.30 m.lp.espacejeux.com. aaaa
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27303
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;m.lp.espacejeux.com.      IN  AAAA

;; AUTHORITY SECTION:
espacejeux.com.    172800  IN  NS  ns1.loto-quebec.com.
…

;; ADDITIONAL SECTION:
ns1.loto-quebec.com.    172800  IN  A  192.197.135.2
…
$ # Ask ns1.loto-quebec.com.
$
$ dig +norecurse @192.197.135.2 m.lp.espacejeux.com. aaaa
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48277
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;m.lp.espacejeux.com.      IN  AAAA

;; AUTHORITY SECTION:
lp.espacejeux.com.  10800  IN  NS  ns-lp1.loto-quebec.com.
…

;; ADDITIONAL SECTION:
ns-lp1.loto-quebec.com. 3600    IN  A  204.101.132.10
…
$ # Ask ns-lp1.loto-quebec.com.
$
$ dig +norecurse @204.101.132.10 m.lp.espacejeux.com. aaaa
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54892
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;m.lp.espacejeux.com.      IN  AAAA

;; AUTHORITY SECTION:
lp.espacejeux.com.  86400  IN  SOA lp.espacejeux.com. administrator.lp.espacejeux.com. 998545544 28800 7200 604800 86400
…

In summary, I got an authoritative no results for the 

AAAA
for 
m.lp.espacejeux.com.
, which is what you’d expect. But look at the 
SOA
, which indicates that 
lp.espacejeux.com.
is a separate zone from 
espacejeux.com.
.

Now let’s check that delegation:

$ # Start at the root.
$
$ dig +norecurse @$rootns lp.espacejeux.com. ns
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60237
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; QUESTION SECTION:
;lp.espacejeux.com.    IN  NS

;; AUTHORITY SECTION:
com.            172800  IN  NS  a.gtld-servers.net.
…

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800  IN  A  192.5.6.30
…
$ # Ask .com.
$
$ dig +norecurse @192.5.6.30 lp.espacejeux.com. ns
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;lp.espacejeux.com.    IN  NS

;; AUTHORITY SECTION:
espacejeux.com.    172800  IN  NS  ns1.loto-quebec.com.
…

;; ADDITIONAL SECTION:
ns1.loto-quebec.com.    172800  IN  A  192.197.135.2
…
$ # Ask ns1.loto-quebec.com.
$
$ dig +norecurse @192.197.135.2 lp.espacejeux.com. ns
…
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 225
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;lp.espacejeux.com.    IN  NS

;; AUTHORITY SECTION:
lp.espacejeux.com.  10800  IN  NS  ns-lp1.loto-quebec.com.
…

;; ADDITIONAL SECTION:
ns-lp1.loto-quebec.com. 3600    IN  A  204.101.132.10
…
$ # Ask ns-lp1.loto-quebec.com.
$
$ dig +norecurse @204.101.132.10 lp.espacejeux.com. ns

; <<>> DiG 9.8.3-P1 <<>> +norecurse @204.101.132.10 lp.espacejeux.com. ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

So, 

ns1.loto-quebec.com.
(204.101.132.10) gives authoritative answers for 
AAAA
records for 
m.lp.espacejeux.com.
but just doesn’t respond when asked for the 
NS
record for 
lp.espacejeux.com.
.

I’m no DNS expert but that strikes me as weird.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
dig question on IPv6 NAT64 translator
First post date Last post date
 
 
Q