1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.IPV6

  • security.debian.org requires IPv4

    From Teddy Hogeborn@21:1/5 to bjorn@mork.no on Thu Sep 28 16:30:01 2017
    Bjørn Mork <bjorn@mork.no> writes:

    Teddy Hogeborn <teddy@recompile.se> writes:

    The host security-cdn.debian.org, used by some packages on security.debian.org¹, despite having an IPv6 address in the DNS, can
    not actually be reached from an IPv6-only host, due to issues with
    DNS hosting by Fastly, the CDN provider. I raised this problem with Fastly, first on IRC and then in their issue tracker, but their
    response is, as you can see, "IPv4 is required and we have no plans
    to change this.".

    security-cdn.debian.org is reachable from an IPv6 only host as long as
    that host has access to a dual stacked resolver. All real world hosts
    will have access to such a resolver. IPv6 only resolvers are not
    useful on the current Internet, and will only exist as lab
    experiments.

    Sure, it would be nice if all DNS zones where hosted on both IPv6 and
    IPv4 name servers. But this is not critical for IPv6 deployment, and
    IMHO never will be. Keeping dual stacked DNS caching resolvers around
    for as long as the transition will last, is not a problem.

    DNSSEC does not have any security between the resolver and client; the
    only reasonable response is to run the resolver locally. On an
    IPv6-only host, this will result in an IPv6-only resolver.

    /Teddy Hogeborn

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEY75bks/gQYVhlZRZ65sbAd4FcuQFAlnNBhkACgkQ65sbAd4F cuT6yA//dw692xeiAODzF2NrTlFY/be8RcMWT/3pQLePIQOEfWh8yaUM9bMu0PwY EorM8vj8SJnZrNwfHWl1nAQ45tBK3TCZN8aMo8zRtOhjS31v8KEmbgHiUj6gwdY1 1QU+DoXCAadcOyPw6/pbgVQn8MYpGtWKZaP93FpF8nw2gdLdqaQowlcC5HLB8p9+ rKMUMlxLJ9gB2jHXkuX/e3jXn+DIjESBqbqo4O4B8zQVfxqjtz/oTA5VrwjxwhDg yV9V0VHt3xxofoqi0iEoe4RmmvtEjcdjR9RZyJsxdduZ0jrh8UA0bdjhUC84BitC PQ3q6CfuG5UblNWXciX6oX4VveJUZvT41t+Ey56EOKEaJByvJnya9MhyL1W7VRHe H8odco4nyccObZc1s0zL0jUVhNiS2GHIdIiy0SEv5RRhUjPcFVhqXxwZXKy9gYy7 yCFpGfE2yMRCgFKqBgvkH6o8pPBGHxmTeMgRnb8BewHd1Ao1cUrphtEQraXOMLEl KAcsHsRulN78qjqmaBDPrsypzxuQx/cpgdsVlyNquqV58fAXvyUv1F6gCWmYRjvB bIdFDRPqp34g7h73pkGVxjEI45/Hws+N0Ey1HOjatejasb1zo9WOdtMHTPQ4KxzE za6ymFPu8NU5LLn3SZoSKFjBreTpPRiBRge4bqTpP0xXLJZDa/M=syUT
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Teddy Hogeborn on Thu Sep 28 16:50:02 2017
    Teddy Hogeborn <teddy@recompile.se> writes:

    The host security-cdn.debian.org, used by some packages on security.debian.org¹, despite having an IPv6 address in the DNS, can not actually be reached from an IPv6-only host, due to issues with DNS
    hosting by Fastly, the CDN provider. I raised this problem with Fastly, first on IRC and then in their issue tracker, but their response is, as
    you can see, "IPv4 is required and we have no plans to change this.".

    security-cdn.debian.org is reachable from an IPv6 only host as long as
    that host has access to a dual stacked resolver. All real world hosts
    will have access to such a resolver. IPv6 only resolvers are not useful
    on the current Internet, and will only exist as lab experiments.

    Sure, it would be nice if all DNS zones where hosted on both IPv6 and
    IPv4 name servers. But this is not critical for IPv6 deployment, and
    IMHO never will be. Keeping dual stacked DNS caching resolvers around
    for as long as the transition will last, is not a problem.


    Bjørn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?utf-8?Q?Bj=C3=B8rn_Mork?=@21:1/5 to Teddy Hogeborn on Thu Sep 28 17:10:02 2017
    Teddy Hogeborn <teddy@recompile.se> writes:

    DNSSEC does not have any security between the resolver and client; the
    only reasonable response is to run the resolver locally. On an
    IPv6-only host, this will result in an IPv6-only resolver.

    I don't necessarily agree with your conlusion. The security depends on
    the level of trust you have in the network between the client and the
    resolver. "locally" does not necessarily imply "on the same host",
    although I do see that it might.

    In any case, even if we assume that you have to run a resolver on the
    IPv6 only host, this resolver can (and *should* IMHO) forward queries to another caching resolver. Doing DNSSEC validation is not affected by the
    depth of the cache hierarchy.

    Running resolvers querying authoritative servers directly on every host
    on the Internet would be insane. It will not scale. DNSSEC does not
    require this, and never has. Please don't make such assumptions.


    Bjørn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)