Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. ipv6
IPv6-misconfigurations
thomas at cis
Sep 28, 2015, 6:57 AM
Post #1 of 12 (3998 views)
Permalink
Hi,

I am observing sometimes very strange ipv6-misconfigurations.

The last two examples are:


www.hs-worms.de

LANG=C wget -6 www.hs-worms.de
converted 'http://www.hs-worms.de' (ANSI_X3.4-1968) ->
'http://www.hs-worms.de' (UTF-8)
--2015-09-28 15:07:07-- http://www.hs-worms.de/
Resolving www.hs-worms.de (www.hs-worms.de)... 2001:4c80:81:a000::1d
Connecting to www.hs-worms.de
(www.hs-worms.de)|2001:4c80:81:a000::1d|:80... failed: Connection timed out.
Retrying.

and

www.df.eu

LANG=C wget -6 www.df.eu
converted 'http://www.df.eu' (ANSI_X3.4-1968) -> 'http://www.df.eu' (UTF-8)
--2015-09-28 15:06:56-- http://www.df.eu/
Resolving www.df.eu (www.df.eu)... 2a00:1158:0:100::26
Connecting to www.df.eu (www.df.eu)|2a00:1158:0:100::26|:80... failed:
Connection refused.

Both examples have an AAAA-record and so my assumption also IPv6.


The webmaster of hs-worms doesn't answer.

The webmaster of df I did not ask yet - he is a "hoster" and should have
some monitoring tools.


My question: Is it right, that all these misconfigurations will fail on
ISPs using DNS64/NAT64, except the people using 464xlat additionally?


If somebody knows the responsible persons...


Regards,
Thomas Schäfer



--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706 ℻ +49/89/2180-9701
Re: IPv6-misconfigurations [ In reply to ]
cb.list6 at gmail
Sep 28, 2015, 7:17 AM
Post #2 of 12 (3951 views)
Permalink
On Mon, Sep 28, 2015 at 6:57 AM, Thomas Schäfer <thomas@cis.uni-muenchen.de>
wrote:

> Hi,
>
> I am observing sometimes very strange ipv6-misconfigurations.
>
> The last two examples are:
>
>
> www.hs-worms.de
>
> LANG=C wget -6 www.hs-worms.de
> converted 'http://www.hs-worms.de' (ANSI_X3.4-1968) -> '
> http://www.hs-worms.de' (UTF-8)
> --2015-09-28 15:07:07-- http://www.hs-worms.de/
> Resolving www.hs-worms.de (www.hs-worms.de)... 2001:4c80:81:a000::1d
> Connecting to www.hs-worms.de (www.hs-worms.de)|2001:4c80:81:a000::1d|:80...
> failed: Connection timed out.
> Retrying.
>
> and
>
> www.df.eu
>
> LANG=C wget -6 www.df.eu
> converted 'http://www.df.eu' (ANSI_X3.4-1968) -> 'http://www.df.eu'
> (UTF-8)
> --2015-09-28 15:06:56-- http://www.df.eu/
> Resolving www.df.eu (www.df.eu)... 2a00:1158:0:100::26
> Connecting to www.df.eu (www.df.eu)|2a00:1158:0:100::26|:80... failed:
> Connection refused.
>
> Both examples have an AAAA-record and so my assumption also IPv6.
>
>
> The webmaster of hs-worms doesn't answer.
>
> The webmaster of df I did not ask yet - he is a "hoster" and should have
> some monitoring tools.
>
>
> My question: Is it right, that all these misconfigurations will fail on
> ISPs using DNS64/NAT64, except the people using 464xlat additionally?
>
>
>
For an IPv6-only device, it will only try IPv6...there is no fall back to
IPv4.

So, the device will only ask for aaaa ever... it will never as for "a"
record

Since a natural "AAAA" exists, the DNS64 will never send back a synthesize
"AAAA" to the IPv6 only user.

So, for IPv6-only users, they will not have any access to a site with
broken ipv6.

Generally speaking, it is better to have no IPv6 access than broken IPv6.

CB


> If somebody knows the responsible persons...
>
>
> Regards,
> Thomas Schäfer
>
>
>
> --
>
> There’s no place like ::1
>
> Thomas Schäfer (Systemverwaltung)
> Ludwig-Maximilians-Universität
> Centrum für Informations- und Sprachverarbeitung
> Oettingenstraße 67 Raum C109
> 80538 München ☎ +49/89/2180-9706 ℻ +49/89/2180-9701
>
>
Re: IPv6-misconfigurations [ In reply to ]
bzeeb-lists at lists
Sep 28, 2015, 7:21 AM
Post #3 of 12 (3951 views)
Permalink
> On 28 Sep 2015, at 14:17 , Ca By <cb.list6@gmail.com> wrote:
>
> Generally speaking, it is better to have no IPv6 access than broken IPv6.

Generally speaking it’s better to get these problems fixed than keep them around.
That business is no different with IPv4 or IPv6.

/bz
Re: IPv6-misconfigurations [ In reply to ]
ignatios at cs
Sep 29, 2015, 4:12 AM
Post #4 of 12 (3941 views)
Permalink
On Mon, Sep 28, 2015 at 07:17:41AM -0700, Ca By wrote:
> On Mon, Sep 28, 2015 at 6:57 AM, Thomas Schäfer <thomas@cis.uni-muenchen.de>
> wrote:
>

> Generally speaking, it is better to have no IPv6 access than broken IPv6.
>

Famous old words.[2]

-is

[2] http://www.guug.de/veranstaltungen/ecai6-2007/slides/ecai6-2007_Souvatzis_ER_7yr_IPv6.pdf, p.28
Re: IPv6-misconfigurations [ In reply to ]
lists at quux
Sep 29, 2015, 4:33 AM
Post #5 of 12 (3943 views)
Permalink
Thomas Schäfer <thomas@cis.uni-muenchen.de> writes:

> Hi,
>
> I am observing sometimes very strange ipv6-misconfigurations.

My theory: People enable IPv6 for a service, test it and when it works
forget about it. Many times they forget to monitor services and don't
notice that the service is not working anymore. Or there are different
teams for services, OS, firewalls, DNS, monitoring they don't talk to
each other. Or there is a new admin / manager / ... who doesn't like
IPv6.

DNSSEC is even more fun when not monitored.

- If you are running a service and not monitoring it do you relay need
this service? If you run dual-stack service monitor both protocols

- Dual-stack your admin workstations IPv6 so you can notice IPv6
problems.

- Talk to each other. Yes it's hard sometimes.

Jens

P.S.: If anyone needs HTTP / SMTP / DNS(SEC) monitoring for an Open
Source Project: Drop me a note. My monitoring hosts are bored.
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@quux.de | --------------- |
----------------------------------------------------------------------------
Re: IPv6-misconfigurations [ In reply to ]
thomas at cis
Sep 29, 2015, 4:42 AM
Post #6 of 12 (3941 views)
Permalink
Thanks for the answers.

In case of "df" the support was able to solve it.

In case of hs worms, I phoned the webmaster, but he says he is busy and
has higher priorities.


@Jens

You mentioned DNSSEC. A failed monitoring/unintended misconfiguration of
that is a nightmare. But this is OT here.


Regards,

Thomas






--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706 ℻ +49/89/2180-9701
Re: IPv6-misconfigurations [ In reply to ]
lists at quux
Sep 29, 2015, 6:35 AM
Post #7 of 12 (3934 views)
Permalink
Thomas Schäfer <thomas@cis.uni-muenchen.de> writes:

> In case of hs worms, I phoned the webmaster, but he says he is busy and
> has higher priorities.

But if the server had an IPv4 problem it would be fixed within
minutes. :-(

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@quux.de | --------------- |
----------------------------------------------------------------------------
Re: IPv6-misconfigurations [ In reply to ]
ticso at cicely7
Sep 29, 2015, 9:38 AM
Post #8 of 12 (3938 views)
Permalink
On Tue, Sep 29, 2015 at 03:35:53PM +0200, Jens Link wrote:
> Thomas Schäfer <thomas@cis.uni-muenchen.de> writes:
>
> > In case of hs worms, I phoned the webmaster, but he says he is busy and
> > has higher priorities.
>
> But if the server had an IPv4 problem it would be fixed within
> minutes. :-(

Higher priorities to at least disable a non working AAAA record as
a temporary workaround until the v6 reachability is fixed?
Webmasters these days...

--
B.Walter <bernd@bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
Re: IPv6-misconfigurations [ In reply to ]
ignatios at cs
Sep 30, 2015, 12:27 AM
Post #9 of 12 (3921 views)
Permalink
On Tue, Sep 29, 2015 at 06:38:54PM +0200, Bernd Walter wrote:
> On Tue, Sep 29, 2015 at 03:35:53PM +0200, Jens Link wrote:
> > Thomas Schäfer <thomas@cis.uni-muenchen.de> writes:
> >
> > > In case of hs worms, I phoned the webmaster, but he says he is busy and
> > > has higher priorities.
> >
> > But if the server had an IPv4 problem it would be fixed within
> > minutes. :-(
>
> Higher priorities to at least disable a non working AAAA record as
> a temporary workaround until the v6 reachability is fixed?
> Webmasters these days...

s/these days//

In the really old days, when we all were universalists, and did the
newfangled web mastering as a side dish, everything worked. Unless
a downtime was announced.

-is
Re: IPv6-misconfigurations [ In reply to ]
joe at nethead
Sep 30, 2015, 12:50 AM
Post #10 of 12 (3925 views)
Permalink
On Wed, Sep 30, 2015 at 12:27 AM, Ignatios Souvatzis <
ignatios@cs.uni-bonn.de> wrote:

>
> s/these days//
>
> In the really old days, when we all were universalists, and did the
> newfangled web mastering as a side dish, everything worked. Unless
> a downtime was announced.


Stop making me feel old!

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
Re: IPv6-misconfigurations [ In reply to ]
bs at stepladder-it
Sep 30, 2015, 4:29 AM
Post #11 of 12 (3921 views)
Permalink
Hi folks,

Bernd Walter <ticso@cicely7.cicely.de> writes:

> Higher priorities to at least disable a non working AAAA record as
> a temporary workaround until the v6 reachability is fixed?
> Webmasters these days...

that's not really all that much of a surprise to me. Everyone knows
things tend to get rather ugly (aka. expensive aka. embarrassing) when
anything goes wrong with the DNS. Combine that with people who don't
really know what they are doing when it comes to DNS, then add a highly
sensitized management due to some previous blunder, and you'll wind up
with a change process that makes anything going even remotely near a DNS
entry a plan-three-months-in-advance job.

And I'm not even thinking about the people who actually outsource their
DNS---preferably to the lowest bidder...


Cheers,

Benedikt

--
Benedikt Stockebrand, Stepladder IT Training+Consulting
Dipl.-Inform. http://www.stepladder-it.com/

Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
RE: IPv6-misconfigurations [ In reply to ]
fbulk at mypremieronline
Nov 26, 2015, 6:48 PM
Post #12 of 12 (3702 views)
Permalink
There are two more domains I know like that:
limelight.com
zhone.com

More examples can be found here:
http://myndighetermedipv6.se/

Frank

-----Original Message-----
From: ipv6-ops-bounces+frnkblk=iname.com@lists.cluenet.de [mailto:ipv6-ops-bounces+frnkblk=iname.com@lists.cluenet.de] On Behalf Of Bernd Walter
Sent: Tuesday, September 29, 2015 11:39 AM
To: Jens Link <lists@quux.de>
Cc: IPv6 Ops list <ipv6-ops@lists.cluenet.de>
Subject: Re: IPv6-misconfigurations

On Tue, Sep 29, 2015 at 03:35:53PM +0200, Jens Link wrote:
> Thomas Schäfer <thomas@cis.uni-muenchen.de> writes:
>
> > In case of hs worms, I phoned the webmaster, but he says he is busy and
> > has higher priorities.
>
> But if the server had an IPv4 problem it would be fixed within
> minutes. :-(

Higher priorities to at least disable a non working AAAA record as
a temporary workaround until the v6 reachability is fixed?
Webmasters these days...

--
B.Walter <bernd@bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal