The host security-cdn.debian.org, used by some packages on security.debian.org¹, despite having an IPv6 address in the DNS, can not actually be reached from an IPv6-only host, due to issues with DNS hosting by Fastly, the CDN provider. I raised this problem with Fastly, first on IRC and then in their issue tracker, but their response is, as you can see, "IPv4 is required and we have no plans to change this.". Does Fastly claim IPv6-reachability to Debian in their CDN offering? See attached correspondence. /Teddy Hogeborn 1. For example, <http://security.debian.org/pool/updates/main/l/linux/> redirects to <http://security-cdn.debian.org/pool/updates/main/l/linux/>.
--- Begin Message ---
- To: support@fastly.com
- Subject: IPv6
- From: Teddy Hogeborn <teddy@recompile.se>
- Date: Mon, 25 Sep 2017 12:57:21 +0200
- Message-id: <87lgl3avvy.fsf@recompile.se>
From #fastly: 09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not reachable by IPv6-only hosts, since none of the nameservers of fastly.net has an IPv6 address. 09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly? 10:00 < unfoo42> along with any info if you have 10:00 < unfoo42> it* 10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa records" 10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting text block that generates when accessing https://www.fastly-debug.com/? 10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking about the ns records, not the resulting dns records. I'd need to check on this with our team, so if you could send us a ticket for tracking, that would us look into and follow up The issue is indeed that none of the DNS nameservers for the fastly.net domains have any AAAA records. This makes it impossible to reach, for instance, security-cdn.debian.org from an IPv6-only host. /Teddy HogebornAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Teddy Hogeborn <teddy@recompile.se>
- Subject: [Request received] IPv6
- From: Fastly <support@fastly.zendesk.com>
- Date: Mon, 25 Sep 2017 10:57:50 +0000
- Message-id: <N4GP65X27M_59c8e12e3b76b_aeaf3fd5d8ccb9902156a1_sprut@zendesk.com>
[N4GP65-X27M]## Please do not write below this line ##Your request (#59274) has been received, and is being reviewed by our support staff.
To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274Also, visit our forum at community.fastly.com. You may find your answer there.
Teddy Hogeborn
Sep 25, 3:57 AM PDT
Attachment(s)
signature.ascThis email is a service from Fastly. Delivered by Zendesk.
--- End Message ---
--- Begin Message ---
- To: Teddy Hogeborn <teddy@recompile.se>
- Subject: [Fastly] Re: IPv6
- From: "Rex Osafo-Asare \(Fastly\)" <support@fastly.zendesk.com>
- Date: Mon, 25 Sep 2017 11:47:47 +0000
- Message-id: <N4GP65X27M_59c8ece38cb63_ab1b3f86294cb988244290_sprut@zendesk.com>
- References: <N4GP65X27M@zendesk.com> <87lgl3avvy.fsf@recompile.se>
[N4GP65-X27M]## Please do not write below this line ##Your request (#59274) has been updated.
To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274You can also add a comment by replying to this email.
Rex Osafo-Asare (Fastly)
Sep 25, 4:47 AM PDT
Hi Teddy,
Thanks for reaching out. We'll look into this for you.
Thanks,
Rex
Teddy Hogeborn
Sep 25, 3:57 AM PDT
From #fastly:
09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow upThe issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host./Teddy Hogeborn
Attachment(s)
signature.ascThis email is a service from Fastly. Delivered by Zendesk.
--- End Message ---
--- Begin Message ---
- To: Teddy Hogeborn <teddy@recompile.se>
- Subject: [Fastly] Re: IPv6
- From: "Rex Osafo-Asare \(Fastly\)" <support@fastly.zendesk.com>
- Date: Tue, 26 Sep 2017 09:13:17 +0000
- Message-id: <N4GP65X27M_59ca1a2cbeb26_312f3fd96a0cb99812746b_sprut@zendesk.com>
- References: <N4GP65X27M@zendesk.com> <87lgl3avvy.fsf@recompile.se>
[N4GP65-X27M]## Please do not write below this line ##Your request (#59274) has been updated.
To review the status of the request and add additional comments, follow the link below:
http://fastly.zendesk.com/hc/requests/59274You can also add a comment by replying to this email.
Rex Osafo-Asare (Fastly)
Sep 26, 2:13 AM PDT
Hi Teddy,
You are correct. We have not launched IPv6 for those NS records, which means that native IPV6 clients using name servers that are not dual-stack will be unable to reach us. There is currently is no ETA on when these will be added at present. With that being the case it may be advisable for you to consider some sort of shim/transition technology that will allow you to address IPv4 hosts as you may run into this issue again across services that leverage a CDN with a similar set up to ours.
Hope this helps?
Regards,
Rex
Rex Osafo-Asare (Fastly)
Sep 25, 4:47 AM PDT
Hi Teddy,
Thanks for reaching out. We'll look into this for you.
Thanks,
Rex
Teddy Hogeborn
Sep 25, 3:57 AM PDT
From #fastly:
09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow upThe issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host./Teddy Hogeborn
Attachment(s)
signature.ascThis email is a service from Fastly. Delivered by Zendesk.
--- End Message ---
Attachment:
signature.asc
Description: PGP signature
From #fastly:
09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not
reachable by IPv6-only hosts, since none of the
nameservers of
fastly.net has an IPv6 address.
09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly?
10:00 < unfoo42> along with any info if you have
10:00 < unfoo42> it*
10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa
records"
10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting
text block that generates when accessing
https://www.fastly-debug.com/?
10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking
about the ns records, not the resulting dns records. I'd need
to check on this with our team, so if you could send us a
ticket for tracking, that would us look into and follow up
The issue is indeed that none of the DNS nameservers for the fastly.net
domains have any AAAA records. This makes it impossible to reach, for
instance, security-cdn.debian.org from an IPv6-only host.
/Teddy Hogeborn