Re: pay.gov and IPv6

[Mark Andrews <marka () isc org>]

In message <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw () mail gmail com>
, Lee writes:
> On 11/16/16, Mark Andrews <marka () isc org> wrote:
> > In message <1479249003.3937.6.camel () ns five-ten-sg com>, Carl Byington
> > writes
> > :
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > >
> > > Following up on a two year old thread, one of my clients just hit this
> > > problem. The failure is not that www.pay.gov is not reachable over ipv6
> > > (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> > > connection, but the connection then hangs waiting for the TLS handshake.
> > >
> > > openssl s_client -connect www.pay.gov:443
> > >
> > > openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
> > >
> > > Browsers (at least firefox) see that as a very slow site, and it does
> > > not trigger their happy eyeballs fast failover to ipv4.
> >
> > Happy eyeballs is about making the connection not whether TCP
> > connections work after the initial packet exchange.
> >
> > I would send a physical letter to the relevent Inspector General
> > requesting that they ensure all web sites under their juristiction
> > that are supposed to be reachable from the public net get audited
> > regularly to ensure that IPv6 connections work from public IP space.
>
> That will absolutely work.
>
> NIST is still monitoring ipv6 .gov sites
>   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov

Which show green which means that the tests they are doing are not
sufficient.  They need to test from behind a 1280 mtu link.

The DNSSEC testing is also insufficient.  9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails.  QWEST you have been informed of this already.

Why the hell should validating resolver have to work around the
crap you guys are using?  DO YOUR JOBS which is to use RFC COMPLIANT
servers.  You get PAID to do DNS because people think you are
compentent to do the job.  Evidence shows otherwise.

https://ednscomp.isc.org/compliance/gov-full-report.html show the broken
servers for .gov.  It isn't hard to check.

> so the IG isn't going to do anything there & pay.gov has a contact us page
>   https://pay.gov/public/home/contact
> that I'd bet works much better than a letter to the IG

You have to be able to get to https://pay.gov/public/home/contact to use
it.  Most people don't have the skill set to force the use of IPv4.

If it is production it should work.  It is the I-G's role to ensure this
happens.  Butts need to kicked.

Mark
 
> Regards,
> Lee
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org