Banks and IPv6 (was Re: Yahoo and IPv6)

Jared Mauch jared at puck.nether.net
Tue May 10 07:43:09 CDT 2011


On May 10, 2011, at 6:03 AM, Iljitsch van Beijnum wrote:

> On 9 mei 2011, at 21:40, Tony Hain wrote:
> 
>>> Publicly held corporations are responsible to their shareholders to get
>>> eyeballs on their content. *That* is their job, not promoting cool new
>>> network tech. When you have millions of users hitting your site every
>>> day losing 1/2000 is a large chunk of revenue.
> 
> Nonsense. 0.05% is well below the noise margin for anything that involves humans.

I think it will be interesting when people start to look at the results. Following the delegation of someplace like a bank that has a financial interest in

a) security (ie: modern software)
b) people reaching their site

There's a lot of IPv6 brokeness in their services.

do "dig +trace aaaa www.citibank.co.uk"

You will eventually reach their load balancer dns servers that start giving out bad referrals/authority.

www.citibank.co.uk.	3600	IN	NS	ldefdc-egsl01-7000.nsroot2.com.
www.citibank.co.uk.	3600	IN	NS	lgbrdc-egsl01-7000.nsroot1.com.
;; Received 153 bytes from 192.193.214.2#53(192.193.214.2) in 36 ms

[trimmed]
.			3600000	IN	NS	m.root-servers.net.
;; BAD REFERRAL
;; Received 500 bytes from 199.67.203.246#53(199.67.203.246) in 100 ms


When you look at the top "25" broken sites, it quickly starts to look like something interesting.  The temporary failure shows some error in the resolver library looking for an AAAA record.  If you ask a non-bind nameserver you may have better luck as they seem to have relaxed SOA tracking.

www.capitalone.com.|208.80.48.112|OK|Temporary failure in name resolution
www.priceline.com.|64.6.17.1|OK|Temporary failure in name resolution
www.kitco.com.|66.38.218.33|OK|Temporary failure in name resolution
www.dmm.co.jp.|203.209.147.15|OK|Temporary failure in name resolution
www.lg.com.|174.35.24.66,174.35.24.81|OK|Temporary failure in name resolution
www.theweathernetwork.com.|207.96.160.181|OK|Temporary failure in name resolution
www.ovguide.com.|64.94.88.21|OK|Temporary failure in name resolution
www.alipay.com.|110.75.132.21|OK|Temporary failure in name resolution
www.sznews.com.|210.21.197.161|OK|Temporary failure in name resolution
www.ryanair.com.|193.95.148.90|OK|Temporary failure in name resolution
www.kbb.com.|209.67.183.100|OK|Temporary failure in name resolution
www.royalbank.com.|142.245.1.203|OK|Temporary failure in name resolution
www.opentable.com.|66.151.130.32|OK|Temporary failure in name resolution
www.bookryanair.com.|193.95.148.91|OK|Temporary failure in name resolution
aleadpay.com.|121.14.17.41|OK|Temporary failure in name resolution
www.20minutos.es.|85.62.13.190|OK|Temporary failure in name resolution
www.nzherald.co.nz.|184.154.158.58|OK|Temporary failure in name resolution
www.rbcroyalbank.com.|142.245.1.15|OK|Temporary failure in name resolution
www.hangzhou.com.cn.|218.108.127.43|OK|Temporary failure in name resolution
www.klikbca.com.|202.6.208.8|OK|Temporary failure in name resolution
www.uk.to.|195.144.11.40|OK|Temporary failure in name resolution
www.atdmt.com.|65.203.229.39,65.242.27.40|OK|Temporary failure in name resolution
www.hc360.com.|221.233.134.141,221.233.134.143|OK|Temporary failure in name resolution
www.dmm.com.|203.209.147.53|OK|Temporary failure in name resolution
www.businesswire.com.|204.8.173.52|OK|Temporary failure in name resolution

Aside from the above, it does seem that there are a fair number of sites that have enabled IPv6 and gone without notice.

take www.informationweek.com which (from my view) sits behind AS209 with their IPv6 space, very similar to their v4 address.

I'm optimistic that more people will 'just enable' ipv6.  Hopefully other technical websites will do it as well, perhaps anyone that matches a regex of "ars" can influence the powers that be.  If they can get people to disable adblock, maybe they can serve up some AAAA as well. :)

- Jared



More information about the NANOG mailing list