← Back to team overview

massive-dynamics-staff team mailing list archive

  1. massive-dynamics-staff team
  2. Mailing list archive
  3. Message #00087

[Bug 241305] Re: security.ubuntu.com not accessible in IPv6 (AAAA record missing in the DNS)

  Thread PreviousDate PreviousThread Next 
** Description changed:

+ ---------------------------------------
+ READ THIS BEFORE COMMENTING ON THIS BUG
+ ---------------------------------------
+ 
+ security.ubuntu.com and archive.ubuntu.com have been IPv6 enabled since
+ March 2013 (see comment #29 below).  Their connectivity is monitored by
+ both internal and 3rd party monitoring systems.
+ 
+ If you experience problems with IPv6 connectivity to the archive
+ servers, please DO NOT comment on this bug.  Instead, email
+ rt@xxxxxxxxxx explaining the problem, and include the output of the
+ following commands:
+ 
+ - date -u --rfc-3339=seconds
+ - ip -6 addr
+ - mtr -6 --report --no-dns -c 3 security.ubuntu.com
+ - host security.ubuntu.com   # requires bind9-host to be installed
+ - ip -6 route get $(host security.ubuntu.com|awk '/has IPv6 address/ {print $NF}')  # also requires bind9-host to be installed
+ 
+ ---------------------------------------
+ 
  Dear,
  
- The apt source list for security update is by default configured  to
+ The apt source list for security update is by default configured to
  security.ubuntu.com.
  
- When you have a system using only IPv6 (and having not access to IPv4 via NAT-PT),
- security.ubuntu.com is only reachable in IPv4.
+ When you have a system using only IPv6 (and having not access to IPv4
+ via NAT-PT), security.ubuntu.com is only reachable in IPv4.
  
- It would be wise to configure an AAAA record to security.ubuntu.com to at least
- point to one of the many mirrors supporting IPv6 connectivity.
+ It would be wise to configure an AAAA record to security.ubuntu.com to
+ at least point to one of the many mirrors supporting IPv6 connectivity.
  
- That would avoid system running natively in IPv6 to lack by default the security
- update.
+ That would avoid system running natively in IPv6 to lack by default the
+ security update.
  
  Thanks a lot,
  
  Kind regards
  
- PS : I checked this as being a security vulnerability but this is more a configuration issue
- on the Ubuntu network infrastructure than a real security vulnerability:
+ PS : I checked this as being a security vulnerability but this is more a
+ configuration issue on the Ubuntu network infrastructure than a real
+ security vulnerability:
  
  A DNS AAAA request :
  
  dig -t AAAA security.ubuntu.com
  
  ; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
  
  ;; QUESTION SECTION:
  ;security.ubuntu.com.           IN      AAAA
  
  ;; AUTHORITY SECTION:
  ubuntu.com.             3600    IN      SOA     ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600
  
  ;; Query time: 134 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Jun 19 15:17:39 2008
  ;; MSG SIZE  rcvd: 98

-- 
You received this bug notification because you are a member of IPv6 Task
Force, which is subscribed to a duplicate bug report (493754).
https://bugs.launchpad.net/bugs/241305

Title:
  security.ubuntu.com not accessible in IPv6 (AAAA record missing in the
  DNS)

Status in Ubuntu Website - OBSOLETE:
  Fix Released
Status in update-manager package in Ubuntu:
  Invalid

Bug description:
  ---------------------------------------
  READ THIS BEFORE COMMENTING ON THIS BUG
  ---------------------------------------

  security.ubuntu.com and archive.ubuntu.com have been IPv6 enabled
  since March 2013 (see comment #29 below).  Their connectivity is
  monitored by both internal and 3rd party monitoring systems.

  If you experience problems with IPv6 connectivity to the archive
  servers, please DO NOT comment on this bug.  Instead, email
  rt@xxxxxxxxxx explaining the problem, and include the output of the
  following commands:

  - date -u --rfc-3339=seconds
  - ip -6 addr
  - mtr -6 --report --no-dns -c 3 security.ubuntu.com
  - host security.ubuntu.com   # requires bind9-host to be installed
  - ip -6 route get $(host security.ubuntu.com|awk '/has IPv6 address/ {print $NF}')  # also requires bind9-host to be installed

  ---------------------------------------

  Dear,

  The apt source list for security update is by default configured to
  security.ubuntu.com.

  When you have a system using only IPv6 (and having not access to IPv4
  via NAT-PT), security.ubuntu.com is only reachable in IPv4.

  It would be wise to configure an AAAA record to security.ubuntu.com to
  at least point to one of the many mirrors supporting IPv6
  connectivity.

  That would avoid system running natively in IPv6 to lack by default
  the security update.

  Thanks a lot,

  Kind regards

  PS : I checked this as being a security vulnerability but this is more
  a configuration issue on the Ubuntu network infrastructure than a real
  security vulnerability:

  A DNS AAAA request :

  dig -t AAAA security.ubuntu.com

  ; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
  ;; global options:  printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;security.ubuntu.com.           IN      AAAA

  ;; AUTHORITY SECTION:
  ubuntu.com.             3600    IN      SOA     ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600

  ;; Query time: 134 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Jun 19 15:17:39 2008
  ;; MSG SIZE  rcvd: 98

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-website/+bug/241305/+subscriptions
  Thread PreviousDate PreviousThread Next