New ipv6 record

[skn-fab2]

I am trying to create a new record containing an ipv6 address. However, the following issues manifested:
1. I specified address 3ffe.6a88.85a3.0000.1319.8a2e.0370.7343 and got the error message:

invalid character in record address -- :

2. Thus, i changed the colons into dots like 3ffe.6a88.85a3.0000.1319.8a2e.0370.7343 and got another error message:

Address for AAAA records must be a valid IP IPv6 address.

The address is a valid ipv6 address and I also tried other ones without any success. After looking into the code, it turns out the perl NET::IP is used to validate the address. This check works fine when tested seperately. Therefore, i think there is an error in validating the input field of the browser before it is passed to the perl check.

Does any one know how to solve this?

Kind regards,

Van Dung Ha
Triple IT
The Netherlands

[skn-fab2]

Eureka! We finally cracked the problem thanks to the dedication of our colleagues. It turns out that a validation check in line 333 of /var/NicToolServer/NicToolServer/Zone/Record/Sanity.pm was incomplete. We added a .\: to the check to allow NictoolServer to accept colons, like:


elsif ( $data->{address} =~ /([^a-zA-Z0-9\-\.\:])/ ) {

NB. This change is not immediately affective. It's why it toke us a while to see our changes back in the web interface. You need to re-run the complete installation process.

1. perl Makefile.PL
2. make
3. make install
4. reload config in apache

P.S. Notice that we changed only the specified file to make it work. It probably is wise to update this in all the ipv6 checks throughout the Nictool project.

Good luck everyone!

Van Dung Ha
Triple IT
The Netherlands

[matt]

Did you test DNS queries to your server to make sure tinydns yielded the correct response?  I'm not certain that it will, since with your modification, you are inserting a : into the nictool database, which the nictool apps specifically avoid (b/c it's a reserved tinydns character). I suggest this alteration instead:

Code Select Expand


@@ -322,6 +317,11 @@ sub _valid_address_chars {
         return;
     }

+    # convert : characters in IPv6 AAAA records to char value
+    if ( $data->{'type'} eq "AAAA" && $data->{address} =~ /:/ ) {
+        $data->{address} =~ s/:/\\072/g;
+    };
+
     if ( $data->{address} =~ /\//
         && $data->{address} !~ /in-addr\.arpa\.$/i ) {
         $self->{errors}{address}++;


[monachus]

Did you test DNS queries to your server to make sure tinydns yielded the correct response?  I'm not certain that it will, since with your modification, you are inserting a : into the nictool database, which the nictool apps specifically avoid (b/c it's a reserved tinydns character). I suggest this alteration instead:

Code Select Expand


@@ -322,6 +317,11 @@ sub _valid_address_chars {
         return;
     }

+    # convert : characters in IPv6 AAAA records to char value
+    if ( $data->{'type'} eq "AAAA" && $data->{address} =~ /:/ ) {
+        $data->{address} =~ s/:/\\072/g;
+    };
+
     if ( $data->{address} =~ /\//
         && $data->{address} !~ /in-addr\.arpa\.$/i ) {
         $self->{errors}{address}++;


This doesn't work because the colons are replaced with \\072, causing the address to fail the validity test: 

Code Select Expand

   
if ( Net::IP::ip_is_ipv6($ip) == 1 ) {


The behavior we're seeing is that it's okay to exclude the check for a colon in Sanity.pm.  The address goes into the database in proper IPv6 format, and when it's written out to the datafile, the address is zero-filled and colons are removed.  This seems to be an acceptable format for djbdns.  The output below shows the information in the db as well as the subsequent query to our ipv6 caching nameserver, including a DNS lookup for its address and the address of our ipv6 authoritative nameserver.  All of this is managed by NicTool, dnscache, and tinydns.  It appears to work fine.

Code Select Expand


mysql> select name,address from nt_zone_record where nt_zone_id=1009 and name='a.ns';
+------+-------------------+
| name | address           |
+------+-------------------+
| a.ns | 2606:c200:0:1::82 |
+------+-------------------+
1 row in set (0.00 sec)

dns-1 root # fgrep a.ns data
Zv6.arces.net:a.ns.arces.net.:hostmaster.arces.net.:2011051605:16384:2048:1048576:2560:86400::
&v6.arces.net::a.ns.arces.net.:86400::
&v6.arces.net::a.ns.v6.arces.net.:86400::
3a.ns.v6.arces.net:2606c200000000010000000000000082:86400::

Using domain server:
Name: a.cns.v6.arces.net
Address: 2606:c200:0:1::84#53
Aliases:

a.ns.v6.arces.net has IPv6 address 2606:c200:0:1::82


[monachus]

Here's a patch to make it all nice and neat.  Those of you who are interested in applying this patch, copy the full text below to "ipv6.patch" at the top of the NicToolServer-2.08 tree and then run:

Code Select Expand


$ sudo patch < ipv6.patch


Code Select Expand


--- NicToolServer/Zone/Record/Sanity.pm.orig    2008-10-19 13:15:34.000000000 -0000
+++ NicToolServer/Zone/Record/Sanity.pm 2011-05-19 04:50:21.000000000 -0000
@@ -322,6 +322,13 @@
         return;
     }

+    my $valid_chars = "[^a-zA-Z0-9\-\.]";
+   
+    # allow a : for ipv6 addresses
+    if( $data->{'type'} eq "AAAA" ) {
+        $valid_chars = "[^a-zA-Z0-9\-\.:]";
+    }
+
     if ( $data->{address} =~ /\//
         && $data->{address} !~ /in-addr\.arpa\.$/i ) {
         $self->{errors}{address}++;
@@ -330,7 +337,7 @@
             "invalid character in record address '/'.  Not allowed in non-reverse-lookup addresses"
         );
     }
-    elsif ( $data->{address} =~ /([^a-zA-Z0-9\-\.])/ ) {
+    elsif ( $data->{address} =~ /($valid_chars)/ ) {
         $self->{errors}{address}++;
         push(
             @{ $self->{'error_messages'} },


[matt]

Okay, your patch looks good Adrian, and I've committed the changes. Thanks for testing and confirming.