Hello Benoit, I have just tested the Migros Banking App on Android on a WiFi network with an IPv4 only address. The dns resolver is validating and has an IPv4 and IPv6 address to resolve names.
If I start the App on my smartphone it resolves the following domain names: secure.migrosbank.ch. A mid.mbmid.ch. A Both work without a problem and the App starts successfully. I also checked the domain names and nameservers. I don't see any problems except for the small issue with the additional authoritative nameserver (ns1.datacenter-migros.ch.) which should not cause any problems. So, maybe it's a local device-, network problem of your customer and not of your infrastructure. Daniel, SWITCH On 09.08.16 13:47, Benoit Panizzon wrote: > Hello > > One customer contacted us, because the Migros Banking App does not work > from within our network and asked me to contact the Migros NOC to find > out what we should change to make it work. > > From the Migros NOC I got the feedback, that this is an issue they > observed with customers whose ISP have IPv6 enabled DNS Server. They > recommend that either the ISP disables IPv6 on the nameservers, or that > the customers uses a different ISP, for example via Mobile Phone > Hotspot to use their Banking app. > > Apparently UPC Cablecom is another ISP with the same issue and cablecom > is able to resolve the issue by disabling IPv6 for the affected > customers. > > I am a bit puzzled. I first suspected a DNSSEC issue as our servers do > validate DNSSEC. But this does not seem to be the case. > > I can resolve the hostnames without any problems via our DNS Servers. > > Our DNS Servers are IPv6 enabled. When another DNS Server has an > IPv6 address, they will prefer IPv6. > But our customer does not get an IPv6 address. So his local resolver > does only know the IPv4 address of our DNS Servers. The Migros DNS > Servers do not publish an IPv6 address. So how is IPv6 involved in this > issue? > > The Domain in Question: mbmid.ch is: > > mbmid.ch. 241 IN NS ns1.datacenter-migros.ch. > mbmid.ch. 241 IN NS migze104.migros.ch. > mbmid.ch. 241 IN NS migze100.migros.ch. > > ns1.datacenter-migros.ch. 146 IN A 164.14.130.66 > migze100.migros.ch. 3222 IN A 146.67.146.20 > migze104.migros.ch. 3222 IN A 193.8.177.201 > > They are not DNSSEC Signed. > > The only issue I found is that ns1.datacenter-migros.ch is not > published in the registrar glue record, but this also would not lead to > a failure to resolve the hostname. > > Has anyone else come across that issue and could give me a hint where > to further investigate? > > -BenoƮt Panizzon- > _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
