massive-dynamics-staff team mailing list archive

Thread
Date
[Bug 241305] Re: security.ubuntu.com not accessible in IPv6 (AAAA record missing in the DNS)

To: massive-dynamics-staff@xxxxxxxxxxxxxxxxxxx
From: Ryan Rawdon <ryan@xxxxxxx>
Date: Thu, 11 Oct 2012 01:28:01 -0000
Reply-to: Bug 241305 <241305@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Now that Ubuntu supports network installs over IPv6 (as of Oneiric?),
the default repositories (including but not limited to the security
updates repo) should really support IPv6.  It is sad to see that
Canonical's ASN isn't announcing any IPv6 prefixes nor has any IPv6
peers up yet.  Many other Linux and BSD distributions are years ahead of
Ubuntu for IPv6 support on the default, official repositories.  Some of
them have claimed to be and tested to be 100% compatible with an
IPv6-only environment.  I don't think Ubuntu can even consider claiming
to be IPv6-only-compliant until the default repositories support it.

Indeed IPv6-only machines are uncommon, but Andre's statements about
Carrier Grade NAT are true and growing in importance.  IPv6-only devices
are going to become more common as compute clusters and other
environments which do not need to communicate with the outside network
become common.  I wouldn't be surprised if cloud providers (Amazon,
Rackspace, Azure, etc) start offering IPv6-only instances in the near
future.  As far as I'm concerned, Ubuntu's lack of care for dogfooding
themselves with IPv6-capable infrastructure heads down a road of
precluding them from deployment in such environments.

(and yes, we do have some IPv6-only virtual machines on which I test our
applications - these machines do not have NAT64'ed access to the outside
world for updates, so we are forced to use an unofficial mirrors.  This
is in addition to many, many machines [ both virtual and physical] which
are dual-stacked and are using unofficial IPv6-enabled mirrors)

-- 
You received this bug notification because you are a member of IPv6 Task
Force, which is subscribed to a duplicate bug report (493754).
https://bugs.launchpad.net/bugs/241305

Title:
  security.ubuntu.com not accessible in IPv6 (AAAA record missing in the
  DNS)

Status in “update-manager” package in Ubuntu:
  Invalid

Bug description:
  Dear,

  The apt source list for security update is by default configured  to
  security.ubuntu.com.

  When you have a system using only IPv6 (and having not access to IPv4 via NAT-PT),
  security.ubuntu.com is only reachable in IPv4. 

  It would be wise to configure an AAAA record to security.ubuntu.com to at least
  point to one of the many mirrors supporting IPv6 connectivity.

  That would avoid system running natively in IPv6 to lack by default the security
  update.

  Thanks a lot,

  Kind regards

  PS : I checked this as being a security vulnerability but this is more a configuration issue
  on the Ubuntu network infrastructure than a real security vulnerability:
   

  A DNS AAAA request :

  
  dig -t AAAA security.ubuntu.com

  ; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;security.ubuntu.com.           IN      AAAA

  ;; AUTHORITY SECTION:
  ubuntu.com.             3600    IN      SOA     ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600

  ;; Query time: 134 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Jun 19 15:17:39 2008
  ;; MSG SIZE  rcvd: 98

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/241305/+subscriptions