This is a no-brainer, because I know that everyone who reads this will visit the link. All I request is an off-list message stating if you could get there or not (it won't be possible to parse my weblogs for those who can't): http://onlyv6.com Operationally, I want to personally take a very rough inventory on the number of people who can get to the site, and who can't. The purpose of this is so that I can gain deeper insight into troubles that the inevitable v6 only networks are going to face, and what impact will occur to an ISP that is currently thinking that v6 is not for them. All findings will be publicly posted. Steve
Hi, What is your method to discover who cannot connect to your webserver? Regards, Janos Mohacsi Head of HBONE+ project Network Engineer, Deputy Director of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Fri, 23 Apr 2010, Steve Bertrand wrote:
This is a no-brainer, because I know that everyone who reads this will visit the link. All I request is an off-list message stating if you could get there or not (it won't be possible to parse my weblogs for those who can't):
Operationally, I want to personally take a very rough inventory on the number of people who can get to the site, and who can't.
The purpose of this is so that I can gain deeper insight into troubles that the inevitable v6 only networks are going to face, and what impact will occur to an ISP that is currently thinking that v6 is not for them.
All findings will be publicly posted.
Steve
On 2010.04.23 03:28, Mohacsi Janos wrote:
Hi, What is your method to discover who cannot connect to your webserver?
No. It's not *who* but *why*. This is a personal research project. I'm trying to identify where breakage happens when trying to connect to an IPv6-only network. There are so many places within the Internet that this could happen, I just thought that I'd test it for myself, and then try to attract traffic to the site from across the globe so I could identify edge-cases that I hadn't thought about. This blog post describes the basics of why most sites won't be able to traverse the IPv6 network, even if they are v6 enabled locally: http://ipv6canada.com/?p=92 I'd be glad to get into much deeper detail than this... I'm just a bit caught up at 0400 hrs est when I need to be up in two hours. Reminds me a bit of the ARIN meeting ;) Keep the feedback coming...please. Steve ps. During the time I was setting up this test case, I somehow broke my email server (even though that is a completely different box), so some of my email isn't going out (from what I can tell, this might have included some that were destined for someone on the ARIN BoT. If you have seen weird gaps in conversation, this is likely why).
On 2010.04.23 03:28, Mohacsi Janos wrote:
Hi, What is your method to discover who cannot connect to your webserver?
Earlier, in haste, I mistook your "What" for 'why' the first time I read your question. My method to discover is very clear cut... either you can get to the site, or you can't. Just like when the situation happens in practice, I'll need to be notified via email (unlikely if all of my services are on v6) or phone if you can't reach the website. This is why I requested off-list feedback. Steve
On 2010.04.23 02:50, Steve Bertrand wrote:
This is a no-brainer, because I know that everyone who reads this will visit the link. All I request is an off-list message stating if you could get there or not (it won't be possible to parse my weblogs for those who can't):
Operationally, I want to personally take a very rough inventory on the number of people who can get to the site, and who can't.
The purpose of this is so that I can gain deeper insight into troubles that the inevitable v6 only networks are going to face, and what impact will occur to an ISP that is currently thinking that v6 is not for them.
Even though this is the middle of the night, I am being inundated with responses (which is fantastic by the way). Let me expand on my request quickly, and I'll post a 'why I think it's breaking for some of you' immediately after. If you could, if you have an IPv6 address, include that in your message, and if possible, your AS as well. This information will not be made public, but will help tremendously with my personal research. Thanks, Steve
On 4/23/2010 01:50, Steve Bertrand wrote:
This is a no-brainer, because I know that everyone who reads this will visit the link. All I request is an off-list message stating if you could get there or not (it won't be possible to parse my weblogs for those who can't):
Operationally, I want to personally take a very rough inventory on the number of people who can get to the site, and who can't.
The purpose of this is so that I can gain deeper insight into troubles that the inevitable v6 only networks are going to face, and what impact will occur to an ISP that is currently thinking that v6 is not for them.
All findings will be publicly posted. From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner.
Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On 4/23/2010 02:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
I should point out that I am really stupid about v6--I don't know if I should be able to find a nameserver or not. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On 2010.04.23 03:39, Larry Sheldon wrote:
On 4/23/2010 02:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
I should point out that I am really stupid about v6--I don't know if I should be able to find a nameserver or not.
Has nothing to do about being stupid... let's rephrase your statement and put a positive spin on it as such: "I've heard about IPv6, but don't know very much about it. I think that I should know more, but am a bit confused as to where to begin. What do I do first?". Then I'd say: "As a start, go to http://www.getipv6.info/index.php/Main_Page . If that doesn't get you going, then let the rest of the community start posting the resources that they know about, ranging from beginner up to the advanced.". Steve
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously! Toute connaissance est une réponse à une question On 23/04/2010, at 19:57, Steve Bertrand <steve@ibctech.ca> wrote:
On 2010.04.23 03:39, Larry Sheldon wrote:
On 4/23/2010 02:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
I should point out that I am really stupid about v6--I don't know if I should be able to find a nameserver or not.
Has nothing to do about being stupid... let's rephrase your statement and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that I should know more, but am a bit confused as to where to begin. What do I do first?".
Then I'd say:
"As a start, go to http://www.getipv6.info/index.php/Main_Page . If that doesn't get you going, then let the rest of the community start posting the resources that they know about, ranging from beginner up to the advanced.".
Steve
On Fri, 23 Apr 2010, Matthew Ford wrote:
On 23 Apr 2010, at 09:00, Franck Martin wrote:
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously!
Hmm. Then why did I just replace my airport and my ISP to get functioning IPv6? Hint: 6to4 != IPv6.
even bridged mode broadband service != broadband service (i.e:airport express 6to4 not working on PPPoE)
Mohacsi Janos wrote:
On Fri, 23 Apr 2010, Matthew Ford wrote:
On 23 Apr 2010, at 09:00, Franck Martin wrote:
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously!
Hmm. Then why did I just replace my airport and my ISP to get functioning IPv6? Hint: 6to4 != IPv6.
even bridged mode broadband service != broadband service (i.e:airport express 6to4 not working on PPPoE)
Bleh, actually it does, and I've never been happier to have not deployed PPPoE or cpe modems in router mode than dealing with IPv6. Yeah, some of the networks I manage but don't make decisions on have breaks for IPv6 (router based modems installed, dslams that are smart and filter bad customer traffic including IPv6, etc). My main vlan per customer layout (or atm per customer depending on equipment management domain) fully bridged to customer works great with IPv6, including my house where I have a linux box which does DHCPv6-PD and despite poor options at least passes out networks. Still having large issues on transit peers, but they'll fix it eventually, or I'll eventually get circuits to someone who does. Meanwhile, the tunnel works for the limited traffic generated by DNS, a few 6to4 people (generally p2p) and my home and office. Jack
On 4/23/2010 03:00, Franck Martin wrote:
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously!
OK--I'll but that on the shopping list. (I'll also look around for something for the wired machinery as well. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On Apr 23, 2010, at 7:43 AM, Larry Sheldon wrote:
On 4/23/2010 03:00, Franck Martin wrote:
Go get an airport express, install it get your Internet then click ipv6 enable box and that's it. Seriously!
OK--I'll but that on the shopping list. (I'll also look around for something for the wired machinery as well.
In that case, get an Airport Extreme or Time Capsule. Owen
On Apr 23, 2010, at 12:57 AM, Steve Bertrand wrote:
On 2010.04.23 03:39, Larry Sheldon wrote:
On 4/23/2010 02:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
I should point out that I am really stupid about v6--I don't know if I should be able to find a nameserver or not.
Has nothing to do about being stupid... let's rephrase your statement and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that I should know more, but am a bit confused as to where to begin. What do I do first?".
Then I'd say:
"As a start, go to http://www.getipv6.info/index.php/Main_Page . If that doesn't get you going, then let the rest of the community start posting the resources that they know about, ranging from beginner up to the advanced.".
Shameless plug: There's some decent IPv6 training at http://tunnelbroker.net You can also add IPv6 capabilities to your network using a tunnel from there. (Unless you're trapped in NAT hell). If you have the NAT problem, you can try http://www.sixxs.net and see if one of their solutions will get through your NAT. Owen (Full Disclosure, I work for the company (Hurricane Electric) that provides http://tunnelbroker.net )
On 4/23/2010 02:57, Steve Bertrand wrote:
On 2010.04.23 03:39, Larry Sheldon wrote:
On 4/23/2010 02:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
I should point out that I am really stupid about v6--I don't know if I should be able to find a nameserver or not.
Has nothing to do about being stupid... let's rephrase your statement and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that I should know more, but am a bit confused as to where to begin. What do I do first?".
You are too kind. Since I no longer administer a network, I've gotten lazy about keeping up with developments. And that is stupid.
Then I'd say:
"As a start, go to http://www.getipv6.info/index.php/Main_Page . If that doesn't get you going, then let the rest of the community start posting the resources that they know about, ranging from beginner up to the advanced.".
Good and useful advice. But the message I meant to convey at 0300 in a rainy morning when I couldn't sleep was "I don't know if a Windows XP (SP3, current patches) on a Cox Cable connection _should_ be able to connect, but my machine reported that it couldn't even *find* a name-server for the site." -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
...
Has nothing to do about being stupid... let's rephrase your statement and put a positive spin on it as such:
"I've heard about IPv6, but don't know very much about it. I think that I should know more, but am a bit confused as to where to begin. What do I do first?".
Then I'd say:
"As a start, go to http://www.getipv6.info/index.php/Main_Page . If that doesn't get you going, then let the rest of the community start posting the resources that they know about, ranging from beginner up to the advanced.".
I'd like to add that I learned a LOT going through HE's "certification" process, using it (as apparently intended) as a tutorial. -- Pete
Steve
On 2010.04.23 03:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
Larry... let me explain why. Although you might not understand, others will, and you may remember this as something when you do use IPv6. Believe me, nobody can remember everything, and what I'm trying to achieve here is isolating easy-to-document issues. It may be above your head at this time, but my objective is to find out the rough edges, that net ops will be able to identify quickly when problems arise... much like looking for reckless filtering of ICMP on an IPv6 network. Why you can't get a name server... because this is how the domain is configured: - in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers - both of these servers *only* have IPv6 addresses - the domain registry translates my authoritative name server names into IPv6 addresses, so: Domain servers in listed order: NS1.ONLYV6.COM NS2.ONLYV6.COM - effectively is: ns1.onlyv6.com. 172602 IN AAAA 2607:f118:8c0:800::64 ns2.onlyv6.com. 172591 IN AAAA 2001:470:b086:1::53 - there is absolutely no way that these servers can be contacted over v4. There is no v4 A record available...anywhere. There are two obvious causes of why you can't see me: - you (your ISP) is not v6 enabled - the DNS box that you use for recursion is not properly v6 connected There is a middle ground that I've seen that I believe is as scary as not having IPv6 at all. I've been in environments where an ISP is claiming to be v6 enabled, but only have it geared up toward their clients and to the Internet. Their DNS servers (and other services) are not v6 enabled, so the access clients run into a situation eerily similar to one that I'm trying to document. This is a personal research project, in which I want to learn about the health of connectivity, and about other situations that causes breakage that I haven't considered before. I'd be absolutely pleased to provide IPv6 learning resources, and discuss this further with you off list. Steve
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough. Cheers, Dave Hart
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Assuming your ISP is providing your DNS. What if I, as a new start-up in the IPv4-exhausted world, want to buy pure bit-pipes from my ISP, and be responsible for *everything* further up the stack? I don't believe this is entirely uncommon. Regards, Tim.
On Fri, Apr 23, 2010 at 11:38 UTC, Tim Franklin <tim@pelican.org> wrote:
Assuming your ISP is providing your DNS. What if I, as a new start-up in the IPv4-exhausted world, want to buy pure bit-pipes from my ISP, and be responsible for *everything* further up the stack? I don't believe this is entirely uncommon.
Then you're going to either accept the hit to reachability, or you're going to use at least one third-party authoritative DNS service provider who can slave your zone over v6 and serve it over v4. puck.nether.net likely fits the bill and is free of charge. Cheers, Dave Hart
Godzilla vs. the Smog Monster ----- Original Message ---- From: Dave Hart <davehart@gmail.com> To: Tim Franklin <tim@pelican.org> Cc: NANOG <nanog@nanog.org> Sent: Fri, April 23, 2010 12:57:47 PM Subject: Re: Connectivity to an IPv6-only site On Fri, Apr 23, 2010 at 11:38 UTC, Tim Franklin <tim@pelican.org> wrote:
Assuming your ISP is providing your DNS. What if I, as a new start-up in the IPv4-exhausted world, want to buy pure bit-pipes from my ISP, and be responsible for *everything* further up the stack? I don't believe this is entirely uncommon.
Then you're going to either accept the hit to reachability, or you're going to use at least one third-party authoritative DNS service provider who can slave your zone over v6 and serve it over v4. puck.nether.net likely fits the bill and is free of charge. Cheers, Dave Hart
1- http://onlyv6.com is not resolving ..... 2- why would anyone be interested in buying "bit-pipes" from you if you don't own fiber or ports in a switch? 3- why would anyone be interested in buying ip address space if they can do it from SP's themselfs or apply for that ripe allocation? 4- ICIN 2009 highlighted the fact the SP#s are interested in rolling out new ethernet services - that has been happening for the past years! 5- http://www.potaroo.net/tools/ipv4/index.html shows the V4 exhaustion - the depletion of the IPv4 allocation pool has been a concern however is still in use. Understanding the v6 migration is driving the change. http://www.usipv6.com/6sense/2006/mar/pdf/UnderstandingIPv4AddressExhaustion... just seems that it follows the switchover to digital (2012) http://www.eurescom.eu/Public/Projects/P1900-series/P1952/default.asp ----- Original Message ---- From: Tim Franklin <tim@pelican.org> To: NANOG <nanog@nanog.org> Sent: Fri, April 23, 2010 12:38:21 PM Subject: Re: Connectivity to an IPv6-only site
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Assuming your ISP is providing your DNS. What if I, as a new start-up in the IPv4-exhausted world, want to buy pure bit-pipes from my ISP, and be responsible for *everything* further up the stack? I don't believe this is entirely uncommon. Regards, Tim.
On Apr 23, 2010, at 5:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Not really, having your nameservers be IPv6 enabled is a reasonable thing to do. FYI: on comcast I see SERVFAIL, meaning their recursives do not have IPv6 transport. (I know we have that at my employer on our customer-facing recursives). ; <<>> DiG 9.6.0-APPLE-P2 <<>> any www.onlyv6.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54773 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.onlyv6.com. IN ANY ;; Query time: 1605 msec ;; SERVER: 68.87.72.130#53(68.87.72.130) ;; WHEN: Fri Apr 23 08:41:08 2010 ;; MSG SIZE rcvd: 32
On Apr 23, 2010, at 8:42 AM, Jared Mauch wrote:
On Apr 23, 2010, at 5:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Not really, having your nameservers be IPv6 enabled is a reasonable thing to do.
But (particularly in an enterprise environment) less important than getting the end-user machines IPv6 enabled. At least I haven't been convinced otherwise yet... yes, it's reasonable, but at least in my situation it'll probably be after all user facing segments are done. Also, so far, all IPv6 content whitelisting has been done on the IPv4 address of nameservers... so really, no rush.
FYI: on comcast I see SERVFAIL, meaning their recursives do not have IPv6 transport.
(I know we have that at my employer on our customer-facing recursives).
; <<>> DiG 9.6.0-APPLE-P2 <<>> any www.onlyv6.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54773 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.onlyv6.com. IN ANY
;; Query time: 1605 msec ;; SERVER: 68.87.72.130#53(68.87.72.130) ;; WHEN: Fri Apr 23 08:41:08 2010 ;; MSG SIZE rcvd: 32
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/23/2010 05:42, Jared Mauch wrote:
On Apr 23, 2010, at 5:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Not really, having your nameservers be IPv6 enabled is a reasonable thing to do.
FYI: on comcast I see SERVFAIL, meaning their recursives do not have IPv6 transport.
(I know we have that at my employer on our customer-facing recursives).
; <<>> DiG 9.6.0-APPLE-P2 <<>> any www.onlyv6.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54773 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.onlyv6.com. IN ANY
;; Query time: 1605 msec ;; SERVER: 68.87.72.130#53(68.87.72.130) ;; WHEN: Fri Apr 23 08:41:08 2010 ;; MSG SIZE rcvd: 32
You'll see a lot of this. I've done my own little tests on a few friends' systems, and on public wifi, etc, establishing some sort of IPv6 connectivity, and trying to resolve a subdomaiin of mine with a IPv6 only DNS server. Many ISP recursive NS don't have IPv6 transport yet, so they choke getting to my NS. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRnmUACgkQ2fXFxl4S7sTfJwCfaKEB8juoXkHsgX7N+F+HNrEC PDwAoJm+Hn8NhBi6LKcX00T9JTEA35ma =nzM5 -----END PGP SIGNATURE-----
FYI - Comcast has dual stacked enabled recursive name servers, see the following web site: http://dns.comcast.net/dns-ip-addresses3.php John On 4/23/10 8:42 AM, "Jared Mauch" <jared@puck.nether.net> wrote:
On Apr 23, 2010, at 5:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Not really, having your nameservers be IPv6 enabled is a reasonable thing to do.
FYI: on comcast I see SERVFAIL, meaning their recursives do not have IPv6 transport.
(I know we have that at my employer on our customer-facing recursives).
; <<>> DiG 9.6.0-APPLE-P2 <<>> any www.onlyv6.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54773 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.onlyv6.com. IN ANY
;; Query time: 1605 msec ;; SERVER: 68.87.72.130#53(68.87.72.130) ;; WHEN: Fri Apr 23 08:41:08 2010 ;; MSG SIZE rcvd: 32
========================================= John Jason Brzozowski Comcast Cable e) mailto:john_brzozowski@cable.comcast.com o) 609-377-6594 m) 484-962-0060 w) http://www.comcast6.net =========================================
On Apr 23, 2010, at 2:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Cheers, Dave Hart
It is likely a bit far from immediate future reality, but, i think it is a worth while exercise. Bottom line, if your ISP's resolvers cannot issue queries over IPv6, that is a problem that is relatively easy for them to solve. It is worth putting pressure on your ISP to solve that problem. Owen
On Fri, 23 Apr 2010 06:34:43 PDT, Owen DeLong said:
Bottom line, if your ISP's resolvers cannot issue queries over IPv6, that is a problem that is relatively easy for them to solve. It is worth putting pressure on your ISP to solve that problem.
Ours are currently intentionally configured to not issue queries over IPv6, because at one time, there were *so many* sites that listed unreachable quad-A NS records. Our DNS guy is more than willing to revisit that config switch. Anybody have some statistics on what the current situation is?
In message <5598.1272031635@localhost>, Valdis.Kletnieks@vt.edu writes:
On Fri, 23 Apr 2010 06:34:43 PDT, Owen DeLong said:
Bottom line, if your ISP's resolvers cannot issue queries over IPv6, that is a problem that is relatively easy for them to solve. It is worth putting pressure on your ISP to solve that problem.
Ours are currently intentionally configured to not issue queries over IPv6, because at one time, there were *so many* sites that listed unreachable quad- A NS records. Our DNS guy is more than willing to revisit that config switch.
Anybody have some statistics on what the current situation is?
Given I've been running dual stack nameservers for the last 7 years and never noticed any real problems I expect his problems are actually closer to home. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Apr 23, 2010, at 12:45 PM, Mark Andrews wrote:
Given I've been running dual stack nameservers for the last 7 years and never noticed any real problems I expect his problems are actually closer to home.
Mark
I mirror this experience, I've not seen any issues having the nameservers dual-stacked. - Jared
On 4/23/10 10:47 AM, Jared Mauch wrote:
On Apr 23, 2010, at 12:45 PM, Mark Andrews wrote:
Given I've been running dual stack nameservers for the last 7 years and never noticed any real problems I expect his problems are actually closer to home.
Mark
I mirror this experience, I've not seen any issues having the nameservers dual-stacked.
- Jared
Don't quite remember when I started going dual stack on the server side of things, I think it was back in 2006 or 2007. I even have AHBL queries coming in over IPv6 now - of course they are for IPv4 hosts, but thats not the point. :-) Whats even more interesting, is that on my primary name server, people are sending ICMP echos to my IPv6 address on a fairly consistent basis, making me wonder if someone's using it for testing purposes. If so, makes me happy :) -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Sat, 24 Apr 2010 02:45:05 +1000, Mark Andrews said:
Given I've been running dual stack nameservers for the last 7 years and never noticed any real problems I expect his problems are actually closer to home.
No, the problems are probably further back in time. We first started turning up IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a decade ago (or whenever people *first* started listing quad-A's in NS entries) due to breakage and never actually revisited it since then. This would have been in the era of early 6bone and "your IPv6 connection is probably tromboned through Tokyo".
In a message written on Fri, Apr 23, 2010 at 01:08:30PM -0400, Valdis.Kletnieks@vt.edu wrote:
No, the problems are probably further back in time. We first started turning up IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a decade ago (or whenever people *first* started listing quad-A's in NS entries) due to breakage and never actually revisited it since then. This would have been in the era of early 6bone and "your IPv6 connection is probably tromboned through Tokyo".
Back in that era there was a very real problem of islands. That is, a group would set up IPv6 internally but never connect to the "Internet" (however you want to define that). So they got a AAAA and blackholed trying to reach it. When you look at the content providers (Yahoo and Google tend to speak about this) they are very concerned about this problem as end users can make themselves islands fairly easily (an island of your house, for instance). While the numbers are troubling for them, they are actually really good news. Depending on who's number you believe and when somewhere between 0.01% and 0.5% of end users are on unconnected islands. Now, when you serve a billion page views a day, dropping 0.5% is a huge concern; but it actually means the island problem has gotten really small. More importantly, those are end users who are islands. Someone who's airport is misconfigured making them appear to have IPv6 when they do not. Most of these folks don't run recursive name servers. While I don't know of any hard data, I would expect the number of nameservers in islands to be at least one, and perhaps two or three orders of magnitude less. So, in the context of publishing AAAA's for your nameservers, I think things are extremely safe at this point. If the recursive box on the other end has IPv6 at all and tries to use the AAAA there is a very good chance it will have working IPv6. In the context of publshing AAAA's for your services (e.g. WWW), you need to look at the Google and Yahoo stats network wide, look at your own user base, and determine what level of breakage is acceptable. Keep in mind that IPv4 doesn't always work, so 0% is an unachieveable goal. :) -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
----- Original Message -----
From: "Leo Bicknell" <bicknell@ufp.org> To: "NANOG" <nanog@nanog.org> Sent: Saturday, 24 April, 2010 7:33:21 AM Subject: Re: Connectivity to an IPv6-only site
In a message written on Fri, Apr 23, 2010 at 01:08:30PM -0400, Valdis.Kletnieks@vt.edu wrote:
No, the problems are probably further back in time. We first started turning up IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a decade ago (or whenever people *first* started listing quad-A's in NS entries) due to breakage and never actually revisited it since then. This would have been in the era of early 6bone and "your IPv6 connection is probably tromboned through Tokyo".
Back in that era there was a very real problem of islands. That is, a group would set up IPv6 internally but never connect to the "Internet" (however you want to define that). So they got a AAAA and blackholed trying to reach it.
When you look at the content providers (Yahoo and Google tend to speak about this) they are very concerned about this problem as end users can make themselves islands fairly easily (an island of your house, for instance).
While the numbers are troubling for them, they are actually really good news. Depending on who's number you believe and when somewhere between 0.01% and 0.5% of end users are on unconnected islands. Now, when you serve a billion page views a day, dropping 0.5% is a huge concern; but it actually means the island problem has gotten really small.
More importantly, those are end users who are islands. Someone who's airport is misconfigured making them appear to have IPv6 when they do not. Most of these folks don't run recursive name servers. While I don't know of any hard data, I would expect the number of nameservers in islands to be at least one, and perhaps two or three orders of magnitude less.
So, in the context of publishing AAAA's for your nameservers, I think things are extremely safe at this point. If the recursive box on the other end has IPv6 at all and tries to use the AAAA there is a very good chance it will have working IPv6.
In the context of publshing AAAA's for your services (e.g. WWW), you need to look at the Google and Yahoo stats network wide, look at your own user base, and determine what level of breakage is acceptable. Keep in mind that IPv4 doesn't always work, so 0% is an unachieveable goal. :)
Well google will not serve you an AAAA record if you are not registered with them. This to avoid all the issues above. Once you are registered, expect lot of IPv6 traffic!
Valdis.Kletnieks@vt.edu wrote:
No, the problems are probably further back in time. We first started turning up IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a decade ago (or whenever people *first* started listing quad-A's in NS entries) due to breakage and never actually revisited it since then. This would have been in the era of early 6bone and "your IPv6 connection is probably tromboned through Tokyo".
I periodically see issues with idiotic load balancers that don't respond to anything except A records for specific domains. This causes problems when requesting AAAA records and delays waiting for timeouts before going to A. newegg fixed theirs though, yipeee! :) Jack
On 24 Apr 2010 16:15, Jack Bates wrote:
Valdis.Kletnieks@vt.edu wrote:
No, the problems are probably further back in time. We first started turning up IPv6 back in 1997 or so. There's a *very* good chance that we turned it off a decade ago (or whenever people *first* started listing quad-A's in NS entries) due to breakage and never actually revisited it since then. This would have been in the era of early 6bone and "your IPv6 connection is probably tromboned through Tokyo".
I periodically see issues with idiotic load balancers that don't respond to anything except A records for specific domains. This causes problems when requesting AAAA records and delays waiting for timeouts before going to A. newegg fixed theirs though, yipeee! :)
Don't forget the hotspot vendor that returns an address of 0.0.0.1 for every A query if you have previously done an AAAA query for the same name (and timed out). That's a fun one. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Mon, Apr 26, 2010 at 10:34 AM, Stephen Sprunk <stephen@sprunk.org> wrote:
Don't forget the hotspot vendor that returns an address of 0.0.0.1 for every A query if you have previously done an AAAA query for the same name (and timed out). That's a fun one.
so... aside from the every 3 months bitching on this list (and some on v6ops maybe) about these sorts of things, what's happening to tell/educate/warn/notice the hotspot-vendors that this sort of practice (along with 'everything is at 1.1.1.1!') is just a bad plan? How can users, even more advanced users, tell a hotspot vendor in a meaningful way that their 'solution' is broken? -chris
In message <g2v75cb24521004260807z1ea1a3a0vaa05e5e4ef3268a4@mail.gmail.com>, Christopher Morrow writes:
On Mon, Apr 26, 2010 at 10:34 AM, Stephen Sprunk <stephen@sprunk.org> wrote= :
Don't forget the hotspot vendor that returns an address of 0.0.0.1 for every A query if you have previously done an AAAA query for the same name (and timed out). =A0That's a fun one.
so... aside from the every 3 months bitching on this list (and some on v6ops maybe) about these sorts of things, what's happening to tell/educate/warn/notice the hotspot-vendors that this sort of practice (along with 'everything is at 1.1.1.1!') is just a bad plan? How can users, even more advanced users, tell a hotspot vendor in a meaningful way that their 'solution' is broken?
-chris
I periodically try to get the name of vendor and product identification about load balancer vendors that return broken DNS responses. This is after pointing out that the load balancer is broken and saying why I want it (to inform the vendor / warn others not to purchace a broken product). Invariably the administrator is too paranoid to supply the information. The best one can hope for is to have the operator contact their supplier. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 2010-04-26, at 11:07, Christopher Morrow wrote:
On Mon, Apr 26, 2010 at 10:34 AM, Stephen Sprunk <stephen@sprunk.org> wrote:
Don't forget the hotspot vendor that returns an address of 0.0.0.1 for every A query if you have previously done an AAAA query for the same name (and timed out). That's a fun one.
so... aside from the every 3 months bitching on this list (and some on v6ops maybe) about these sorts of things, what's happening to tell/educate/warn/notice the hotspot-vendors that this sort of practice (along with 'everything is at 1.1.1.1!') is just a bad plan? How can users, even more advanced users, tell a hotspot vendor in a meaningful way that their 'solution' is broken?
It seems like a good step in the right direction would be to determine an approach that makes sense and to document it. Such an approach which made minimal exotic demands of client or hotspot (or back-end) systems might seem attractive to hotspot operators if it seemed likely to minimise support costs, or reduce development costs through re-use of free software components, or something. Does such an approach exist? Is it documented? Joe
On 4/26/2010 8:07 AM, Christopher Morrow wrote:
On Mon, Apr 26, 2010 at 10:34 AM, Stephen Sprunk<stephen@sprunk.org> wrote:
Don't forget the hotspot vendor that returns an address of 0.0.0.1 for every A query if you have previously done an AAAA query for the same name (and timed out). That's a fun one.
so... aside from the every 3 months bitching on this list (and some on v6ops maybe) about these sorts of things, what's happening to tell/educate/warn/notice the hotspot-vendors that this sort of practice (along with 'everything is at 1.1.1.1!') is just a bad plan? How can users, even more advanced users, tell a hotspot vendor in a meaningful way that their 'solution' is broken?
Years ago I talked to a startup's funders about the fact that they had made a design decision to build hardcoded unassigned /8s into a captive portal and mobility gateway. We didn't buy their product, they changed it, company folded. The most meaningful thing one can do is vote with your wallet.
-chris
Valdis.Kletnieks@vt.edu writes:
Ours are currently intentionally configured to not issue queries over IPv6, because at one time, there were *so many* sites that listed unreachable quad-A NS records. Our DNS guy is more than willing to revisit that config switch.
Anybody have some statistics on what the current situation is?
I just dredged a list of 570 one, two, and three-dot domains from a mailing list (a bunch of recent messages on debian-user). Digging them gave 919 unique nameserver domain names, and digging those gave 119 AAAA addresses. Of these, 106 responded to a DNS query (for the nameserver's own AAAA address) in some fashion, and 13 didn't. Of the 13, 5 were cogentco.com DNS servers and unreachable over my HE tunnel thanks to ongoing peering disputes. In all cases, the nameservers with AAAA addresses had A addresses as well. (I got similar results with a list of domains taken from recent NANOG postings, but then decided to look at the debian-user results in case NANOG was unrepresentative.) Anyway, it looks like bad IPv6 nameserver addresses are the exception rather than the rule. Whether to flip on IPv6 queries will sort of depend on how your resolvers behave when they receive a typical "bad" response with 2 broken IPv6 addresses and 2 working IPv4 addresses. -- Kevin <buhr+nanog@asaurus.net>
On Apr 24, 2010, at 6:02 PM, Kevin Buhr wrote:
Valdis.Kletnieks@vt.edu writes:
Ours are currently intentionally configured to not issue queries over IPv6, because at one time, there were *so many* sites that listed unreachable quad-A NS records. Our DNS guy is more than willing to revisit that config switch.
Anybody have some statistics on what the current situation is?
I just dredged a list of 570 one, two, and three-dot domains from a mailing list (a bunch of recent messages on debian-user). Digging them gave 919 unique nameserver domain names, and digging those gave 119 AAAA addresses. Of these, 106 responded to a DNS query (for the nameserver's own AAAA address) in some fashion, and 13 didn't.
Of the 13, 5 were cogentco.com DNS servers and unreachable over my HE tunnel thanks to ongoing peering disputes.
Yeah, sorry about that, we really are trying to resolve this. We're here, we'll peer. It'd be nice if Cogent would, too. We really have done everything we can think of to get Cogent to peer. We even baked them a really nice cake. If you are a Cogent customer, feel free to ask them why they won't peer IPv6 with HE.
In all cases, the nameservers with AAAA addresses had A addresses as well.
Owen
On 4/23/2010 04:49, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand <steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Wuulllll, wait a minute. I didn't get the notion that he was testing to see if a real-world configuration would work. Most engineering and science projects don't test the real world (less so now than in times past, and I don't mean global warming). It looks like he has designed an experiment to test a narrow range of conditions that look to be useful for piecing together what the larger (and largely un-testable) picture might look like. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On 4/23/10 3:49 AM, Dave Hart wrote:
On Fri, Apr 23, 2010 at 08:26 UTC, Steve Bertrand<steve@ibctech.ca> wrote:
- in WHOIS, I have ns1 and ns2.onlyv6.com listed as the authoritative name servers
- both of these servers *only* have IPv6 addresses
Which seems a bit far afield from reality to me. Yes, there are lots of folks with IPv6 connectivity and v4-only recursive DNS servers. I don't think ISPs will have problems setting aside a handful of IPv4 addresses for authoritative DNS infrastructure to work around this until v6 transport in recursive DNS servers is common enough.
Dave, I think part of the point of this is to discover gotchas with our current infrastructure. For example, while diagnosing why I couldn't get onlyv6.com to resolve on one of my name servers but the others worked fine, I discovered that PowerDNS Recursor won't use an IPv6 address for outgoing queries unless you actually give it: query-local-address6= One of my name servers had it, the other didn't, hence I was getting failures on one and success on the other. Its little config issues like that that can crop up weeks/months/years later and make life difficult. Now that I'm a Xen shop, I design domUs to last years at a time rather then rebuilding them constantly. Being able to shunt stable and reliable domU hosts to new dom0 machines when they come up is a great thing, and makes my life alot easier. :) -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 4/23/2010 03:26, Steve Bertrand wrote:
On 2010.04.23 03:35, Larry Sheldon wrote:
From my PC at home (Cox in Omaha) I can't even get a nameserver that knows the site.
Larry... let me explain why. Although you might not understand, others will, and you may remember this as something when you do use IPv6.
Believe me, nobody can remember everything, and what I'm trying to achieve here is isolating easy-to-document issues.
It may be above your head at this time, but my objective is to find out the rough edges, that net ops will be able to identify quickly when problems arise... much like looking for reckless filtering of ICMP on an IPv6 network.
It actually all makes sense (not to be confused with "I have a deep and abiding understanding now").
Why you can't get a name server... because this is how the domain is configured:
I started to whine about the "misleading" error message I go, but when I did it again to copy it I see that it was a mix of not-understanding and of thinking I did:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Owner>tracert onlyv6.com Unable to resolve target system name onlyv6.com.
C:\Documents and Settings\Owner>
That doesn't say "Unable to locate a nameserver" which I would have bet it said. I'll go away quietly now. Thanks for the explanation. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On 23/04/2010, at 6:26 PM, Steve Bertrand wrote:
This is a personal research project, in which I want to learn about the health of connectivity, and about other situations that causes breakage that I haven't considered before.
A very fine objective in my opinion. There are a few similar exercises underway -- the outputs from a similar set of IPv6 connectivity tests I've been doing is at http://www.potaroo.net/stats/1x1/ (yes, you can click on the graphs on that page to get larger images) (and yes, visiting this URL will run the tests of V6 DNS, V6 dual stack preference and capability to retrieve a V6 only object on your browser client) A discussion of the topic of IPv6 measurement work can be found at http://labs.ripe.net/node/ipv6-measurements Geoff
On 2010.04.23 02:50, Steve Bertrand wrote:
...email me with your v6 addr/AS whether you can/can't get to that site. I want to thank everyone thus far for all of the feedback. I've received at least four dozen off list replies, and expect many more after the actual North American people wake up. This is, after all, an ops group, so I did expect a somewhat high success rate, but without counting, so far it's about 60%. I'd like to see at least 300 hits. I'm off today to be concerned about something other than being close to email, so I'll just hopefully have lots to read when I get back. The most productive part of this project so far, has been that I've suckered in three people that mailed me privately out of the ARIN lists that I believe are now convinced that v6 is the right way to proceed, and one or two more who emailed on-list ;) One network at a time. Thanks all, Steve
On 23 Apr 2010, at 07:50, Steve Bertrand wrote:
Its a shame there is not a pair of images on this site - one originated from a v4 only box, one a v6 only box. The img src= could point to the image with a query string that was an automatically incrementing counter. Then you could have demonstrated statistics about v4 only, v6 only, and dual stack visitors. Alas, it looks like a neat bit of research in any case, hope it helps some folk debug their v6 into a working state too. Andy
On Apr 23, 2010, at 5:30 AM, Andy Davidson wrote:
On 23 Apr 2010, at 07:50, Steve Bertrand wrote:
Its a shame there is not a pair of images on this site - one originated from a v4 only box, one a v6 only box. The img src= could point to the image with a query string that was an automatically incrementing counter. Then you could have demonstrated statistics about v4 only, v6 only, and dual stack visitors. Alas, it looks like a neat bit of research in any case, hope it helps some folk debug their v6 into a working state too.
Andy
There are already sites conducting that experiment. This site is conducting a different experiment. Owen
Its a shame there is not a pair of images on this site - one originated from a v4 only box, one a v6 only box. The img src= could point to the
I've been working on something in this direction this past week, that is primarilly for user facing debugging purposes (versus for a content provider). http://test-ipv6.com will tell the user what to expect, after having them try a combination of image fetches (ipv4, ipv6, dual stack, ipv4 literal, ipv6 literal). It does each set of images 2-3 times (minimum is 2; a third pass is done if they go quick enough) and gets the "best" time of each type of fetch. Based on the successes and failures, and the times, it tries to give a straight-English explanation to the end user on what the future internet might look for them, based on their *current* internet service / OS / browser. Lastly, it posts the results back to my server, along with the user agent string, in case there are any trends that can be learned. On my todo list is to have it detect the case where the user timed out trying to reach the IPv6 and dual stack names; and ask the user for more details (ie, netstat -nr and ifconfig/ipconfig). Feedback welcome, preferably off-list. If there's a desire for me to summarize, or anything earth shattering, I'll followup on-list. I'm especially interested in people who've allowed utorrent to enable ipv6 to send me their results. :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/04/2010 07:50, Steve Bertrand wrote:
This is a no-brainer, because I know that everyone who reads this will visit the link. All I request is an off-list message stating if you could get there or not (it won't be possible to parse my weblogs for those who can't):
Works here.. I'd expect anyone with ipv6 connectivity should have no issues. The issues tend to be with dual stack sites where the ipv6 connectivity is broken but the client has (for some reason) picked up a default route... it takes several seconds for the v6 connect to fall back the site appears 'slow' to some users. I also setup an ipv6 only email address (tmh@goipv6.org.uk) primarily to see if it got any spam :p Nothing yet.. Tony -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJL0gFOAAoJEJ1qCQ6ePCDUZBIH/1kVtmwc67QOfXE92nzM3xFS ytnwoafBKQK9Tm83NzGokVu8UTIOSboOuZ+3YV+83oRmZOnB55wN0cY+TSalwgi0 Qqexs4vxYv5FzrhZAdd6+au/lVERjBCIEmu9JXYFc8+N/KzLHtbmL68qZv3tC6F9 +NexdvK/tkvvjr1EeN7ltOSaMLayozafzOY0r8nmpmosmsikEDtwENPm5N07b9pm ccCu7UMSHPNycjBIX3+JbYxifgWLVCVCE0Anm5bikej3YYTOKNAJCDMbSlKgQNCm DKSvyjI+h3EdjlPtfwuAclBcjP6CW+t8qaHERtnOG0fEZfhoTrffpgwluLUWELY= =l9MS -----END PGP SIGNATURE-----
On 2010.04.23 02:50, Steve Bertrand wrote:
All findings will be publicly posted.
I'm currently evaluating my options to best automate some of the findings that I've got so far (I didn't ask for a common format for replies, so most will be manual). However, an interesting item that I've noted thus far, is that ~50% of all successful connections do not have rDNS. Originally, I thought that the majority of these simply didn't have their delegated reverse zones on v6-reachable DNS servers, but this is not necessarily so. I copied the web log onto a dual-stack box and re-ran the DNS tests, and only two of the non-resolvable ip6.arpa addresses resolved over v4. fwiw, for those who have been asking, inbound SMTP is now working, and I've got a basic IMAP/POP3 daemon running. If you still want a test account, let me know. steve@onlyv6.com Thanks everyone for all of the support. Cheers, Steve
participants (29)
-
Andy Davidson
-
Brielle Bruns
-
Christopher Morrow
-
Dave Hart
-
Franck Martin
-
Geoff Huston
-
isabel dias
-
Jack Bates
-
Jared Mauch
-
Jason Fesler
-
Jim Burwell
-
Joe Abley
-
joel jaeggli
-
John Jason Brzozowski
-
John Payne
-
Kevin Buhr
-
Larry Sheldon
-
Leo Bicknell
-
Mark Andrews
-
Matthew Ford
-
Mohacsi Janos
-
Owen DeLong
-
Pete Carah
-
Stephen Sprunk
-
Steve Bertrand
-
Steve Bertrand
-
Tim Franklin
-
Tony Hoyle
-
Valdis.Kletnieks@vt.edu