pay.gov and IPv6

Mark Andrews marka at isc.org
Wed Nov 16 20:23:57 UTC 2016


In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl Byington writes
:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Following up on a two year old thread, one of my clients just hit this
> problem. The failure is not that www.pay.gov is not reachable over ipv6
> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> connection, but the connection then hangs waiting for the TLS handshake.
> 
> openssl s_client -connect www.pay.gov:443
> 
> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
> 
> Browsers (at least firefox) see that as a very slow site, and it does
> not trigger their happy eyeballs fast failover to ipv4.

Happy eyeballs is about making the connection not whether TCP
connections work after the initial packet exchange.

I would send a physical letter to the relevent Inspector General
requesting that they ensure all web sites under their juristiction
that are supposed to be reachable from the public net get audited
regularly to ensure that IPv6 connections work from public IP space.

While you are sending the letter can you also ask why pay.gov's DNS
servers are broken.

Checking: 'pay.gov' as at 2016-11-16T20:21:28Z

pay.gov @199.169.194.28 (ns1.twai.gov.): edns=ok edns1=timeout edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok optlist=ok
pay.gov @2605:3100:fffc:100::7 (ns1.twai.gov.): edns=ok edns1=timeout edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok optlist=ok
pay.gov @199.169.192.28 (ns2.twai.gov.): edns=ok edns1=timeout edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok optlist=ok
pay.gov @2605:3100:fffd:100::7 (ns2.twai.gov.): edns=ok edns1=timeout edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok optlist=ok

Mark

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
> LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
> =MS8j
> -----END PGP SIGNATURE-----
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list