[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

security.debian.org requires IPv4

The host security-cdn.debian.org, used by some packages on
security.debian.org¹, despite having an IPv6 address in the DNS, can not
actually be reached from an IPv6-only host, due to issues with DNS
hosting by Fastly, the CDN provider.  I raised this problem with Fastly,
first on IRC and then in their issue tracker, but their response is, as
you can see, "IPv4 is required and we have no plans to change this.".

Does Fastly claim IPv6-reachability to Debian in their CDN offering?

See attached correspondence.

/Teddy Hogeborn

1. For example, <http://security.debian.org/pool/updates/main/l/linux/>
   redirects to
   <http://security-cdn.debian.org/pool/updates/main/l/linux/>.
--- Begin Message --- 
From #fastly:

09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not 
                reachable by IPv6-only hosts, since none of the
                nameservers of 
                fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
                  records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
                 text block that generates when accessing
                 https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
                 about the ns records, not the resulting dns records. I'd need 
                 to check on this with our team, so if you could send us a 
                 ticket for tracking, that would us look into and follow up

The issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records.  This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host.

/Teddy Hogeborn

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
## Please do not write below this line ##

Your request (#59274) has been received, and is being reviewed by our support staff.

To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274

Also, visit our forum at community.fastly.com. You may find your answer there.

Teddy Hoge

Teddy Hogeborn

Sep 25, 3:57 AM PDT

From #fastly:

09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow up

The issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host.

/Teddy Hogeborn

Attachment(s)
signature.asc
This email is a service from Fastly. Delivered by Zendesk.
[N4GP65-X27M]

--- End Message ---
--- Begin Message ---
## Please do not write below this line ##

Your request (#59274) has been updated.

To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274

You can also add a comment by replying to this email.

Rex Osafo-

Rex Osafo-Asare (Fastly)

Sep 25, 4:47 AM PDT

Hi Teddy,

Thanks for reaching out. We'll look into this for you.

Thanks,

Rex

Teddy Hoge

Teddy Hogeborn

Sep 25, 3:57 AM PDT

From #fastly:

09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow up

The issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host.

/Teddy Hogeborn

Attachment(s)
signature.asc
This email is a service from Fastly. Delivered by Zendesk.
[N4GP65-X27M]

--- End Message ---
--- Begin Message ---
## Please do not write below this line ##

Your request (#59274) has been updated.

To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274

You can also add a comment by replying to this email.

Rex Osafo-

Rex Osafo-Asare (Fastly)

Sep 26, 2:13 AM PDT

Hi Teddy,

You are correct. We have not launched IPv6 for those NS records, which means that native IPV6 clients using name servers that are not dual-stack will be unable to reach us. There is currently is no ETA on when these will be added at present. With that being the case it may be advisable for you to consider some sort of shim/transition technology that will allow you to address IPv4 hosts as you may run into this issue again across services that leverage a CDN with a similar set up to ours.

Hope this helps?

Regards,
Rex

Rex Osafo-

Rex Osafo-Asare (Fastly)

Sep 25, 4:47 AM PDT

Hi Teddy,

Thanks for reaching out. We'll look into this for you.

Thanks,

Rex

Teddy Hoge

Teddy Hogeborn

Sep 25, 3:57 AM PDT

From #fastly:

09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow up

The issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host.

/Teddy Hogeborn

Attachment(s)
signature.asc
This email is a service from Fastly. Delivered by Zendesk.
[N4GP65-X27M]

--- End Message ---

Attachment: signature.asc
Description: PGP signature

Reply to: