The host security-cdn.debian.org, used by some packages on security.debian.org¹, despite having an IPv6 address in the DNS, can not actually be reached from an IPv6-only host, due to issues with DNS hosting by Fastly, the CDN provider. I raised this problem with Fastly, first on IRC and then in their issue tracker, but their response is, as you can see, "IPv4 is required and we have no plans to change this.".
Does Fastly claim IPv6-reachability to Debian in their CDN offering? See attached correspondence. /Teddy Hogeborn 1. For example, <http://security.debian.org/pool/updates/main/l/linux/> redirects to <http://security-cdn.debian.org/pool/updates/main/l/linux/>.
--- Begin Message ---From #fastly: 09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not reachable by IPv6-only hosts, since none of the nameservers of fastly.net has an IPv6 address. 09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly? 10:00 < unfoo42> along with any info if you have 10:00 < unfoo42> it* 10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa records" 10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting text block that generates when accessing https://www.fastly-debug.com/? 10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking about the ns records, not the resulting dns records. I'd need to check on this with our team, so if you could send us a ticket for tracking, that would us look into and follow up The issue is indeed that none of the DNS nameservers for the fastly.net domains have any AAAA records. This makes it impossible to reach, for instance, security-cdn.debian.org from an IPv6-only host. /Teddy Hogebornsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---## Please do not write below this line ## Your request (#59274) has been received, and is being reviewed by our support staff. To review the status of the request and add additional comments, follow the link below: http://fastly.zendesk.com/hc/requests/59274 Also, visit our forum at community.fastly.com. You may find your answer there. ---------------------------------------------- Teddy Hogeborn, Sep 25, 3:57 AM PDT >From #fastly: 09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not reachable by IPv6-only hosts, since none of the nameservers of fastly.net has an IPv6 address. 09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly? 10:00 < unfoo42> along with any info if you have 10:00 < unfoo42> it* 10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa records" 10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting text block that generates when accessing https://www.fastly-debug.com/? 10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking about the ns records, not the resulting dns records. I'd need to check on this with our team, so if you could send us a ticket for tracking, that would us look into and follow up The issue is indeed that none of the DNS nameservers for the fastly.net domains have any AAAA records. This makes it impossible to reach, for instance, security-cdn.debian.org from an IPv6-only host. /Teddy Hogeborn Attachment(s): signature.asc - https://fastly.zendesk.com/attachments/token/PBoA6UmsY6dTOF8QAYogJb6BT/?name=signature.asc -------------------------------- This email is a service from Fastly. [N4GP65-X27M]
--- End Message ---
--- Begin Message ---## Please do not write below this line ## Your request (#59274) has been updated. To review the status of the request and add additional comments, follow the link below: http://fastly.zendesk.com/hc/requests/59274 You can also add a comment by replying to this email. ---------------------------------------------- Rex Osafo-Asare, Sep 25, 4:47 AM PDT Hi Teddy, Thanks for reaching out. We'll look into this for you. Thanks, Rex ---------------------------------------------- Teddy Hogeborn, Sep 25, 3:57 AM PDT >From #fastly: 09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not reachable by IPv6-only hosts, since none of the nameservers of fastly.net has an IPv6 address. 09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly? 10:00 < unfoo42> along with any info if you have 10:00 < unfoo42> it* 10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa records" 10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting text block that generates when accessing https://www.fastly-debug.com/? 10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking about the ns records, not the resulting dns records. I'd need to check on this with our team, so if you could send us a ticket for tracking, that would us look into and follow up The issue is indeed that none of the DNS nameservers for the fastly.net domains have any AAAA records. This makes it impossible to reach, for instance, security-cdn.debian.org from an IPv6-only host. /Teddy Hogeborn Attachment(s): signature.asc - https://fastly.zendesk.com/attachments/token/PBoA6UmsY6dTOF8QAYogJb6BT/?name=signature.asc -------------------------------- This email is a service from Fastly. [N4GP65-X27M]
--- End Message ---
--- Begin Message ---## Please do not write below this line ## Your request (#59274) has been updated. To review the status of the request and add additional comments, follow the link below: http://fastly.zendesk.com/hc/requests/59274 You can also add a comment by replying to this email. ---------------------------------------------- Rex Osafo-Asare, Sep 26, 2:13 AM PDT Hi Teddy, You are correct. We have not launched IPv6 for those NS records, which means that native IPV6 clients using name servers that are not dual-stack will be unable to reach us. There is currently is no ETA on when these will be added at present. With that being the case it may be advisable for you to consider some sort of shim/transition technology that will allow you to address IPv4 hosts as you may run into this issue again across services that leverage a CDN with a similar set up to ours. Hope this helps? Regards, Rex ---------------------------------------------- Rex Osafo-Asare, Sep 25, 4:47 AM PDT Hi Teddy, Thanks for reaching out. We'll look into this for you. Thanks, Rex ---------------------------------------------- Teddy Hogeborn, Sep 25, 3:57 AM PDT >From #fastly: 09:29 < TeddyH> security-cdn.debian.org is hosted by fastly, but is not reachable by IPv6-only hosts, since none of the nameservers of fastly.net has an IPv6 address. 09:59 < unfoo42> hey TeddyH, could you send us an email at support@fastly? 10:00 < unfoo42> along with any info if you have 10:00 < unfoo42> it* 10:04 < jcristau> aiui the info is just "ns[1234].fastly.net have no aaaa records" 10:06 < unfoo42> jcristau: interesting, would you be able to send the resulting text block that generates when accessing https://www.fastly-debug.com/? 10:10 < unfoo42> Oh I think I misunderstood, you were specifically talking about the ns records, not the resulting dns records. I'd need to check on this with our team, so if you could send us a ticket for tracking, that would us look into and follow up The issue is indeed that none of the DNS nameservers for the fastly.net domains have any AAAA records. This makes it impossible to reach, for instance, security-cdn.debian.org from an IPv6-only host. /Teddy Hogeborn Attachment(s): signature.asc - https://fastly.zendesk.com/attachments/token/PBoA6UmsY6dTOF8QAYogJb6BT/?name=signature.asc -------------------------------- This email is a service from Fastly. [N4GP65-X27M]
--- End Message ---
signature.asc
Description: PGP signature