pay.gov and IPv6

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): pay.gov and IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I fixed it (and Netflix) by turning off IPv6 for all my users... but any
chance this is a path MTU issue causing the apparent hang?

Matthew Kaufman
On Wed, Nov 16, 2016 at 12:26 PM Mark Andrews <marka at isc.org> wrote:

>
> In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl Byington
> writes
> :
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Following up on a two year old thread, one of my clients just hit this
> > problem. The failure is not that www.pay.gov is not reachable over ipv6
> > (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> > connection, but the connection then hangs waiting for the TLS handshake.
> >
> > openssl s_client -connect www.pay.gov:443
> >
> > openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
> >
> > Browsers (at least firefox) see that as a very slow site, and it does
> > not trigger their happy eyeballs fast failover to ipv4.
>
> Happy eyeballs is about making the connection not whether TCP
> connections work after the initial packet exchange.
>
> I would send a physical letter to the relevent Inspector General
> requesting that they ensure all web sites under their juristiction
> that are supposed to be reachable from the public net get audited
> regularly to ensure that IPv6 connections work from public IP space.
>
> While you are sending the letter can you also ask why pay.gov's DNS
> servers are broken.
>
> Checking: 'pay.gov' as at 2016-11-16T20:21:28Z
>
> pay.gov @199.169.194.28 (ns1.twai.gov.): edns=ok edns1=timeout edns at 512=noopt
> ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok
> optlist=ok
> pay.gov @2605:3100:fffc:100::7 (ns1.twai.gov.): edns=ok edns1=timeout
> edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok
> edns at 512tcp=ok optlist=ok
> pay.gov @199.169.192.28 (ns2.twai.gov.): edns=ok edns1=timeout edns at 512=noopt
> ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns at 512tcp=ok
> optlist=ok
> pay.gov @2605:3100:fffd:100::7 (ns2.twai.gov.): edns=ok edns1=timeout
> edns at 512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok
> edns at 512tcp=ok optlist=ok
>
> Mark
>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.14 (GNU/Linux)
> >
> > iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
> > LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
> > =MS8j
> > -----END PGP SIGNATURE-----
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): pay.gov and IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]