Problems getting to Verisign's whois server on IPv6

TR_Shaw · May 1, 2012, 12:01pm

Anyone else having problems getting to Verisign's whois server on IPv6?

$ host com.whois-servers.net
com.whois-servers.net is an alias for whois.verisign-grs.com.
whois.verisign-grs.com has address 199.7.59.74
whois.verisign-grs.com has IPv6 address 2001:503:3227:1060::74

$ traceroute6 2001:503:3227:1060::74
traceroute6 to 2001:503:3227:1060::74 (2001:503:3227:1060::74) from 2001:470:5:4ed:cabc:c8ff:fea1:560c, 64 hops max, 12 byte packets
1 2001:470:5:4ed:226:bbff:fe6d:426e 0.311 ms 0.374 ms 0.260 ms
2 ipv6oitc-1.tunnel.tserv12.mia1.ipv6.he.net 21.128 ms 21.052 ms 17.389 ms
3 gige-g2-3.core1.mia1.he.net 20.055 ms 16.198 ms 22.699 ms
4 10gigabitethernet4-3.core1.atl1.he.net 40.166 ms 33.887 ms 32.547 ms
5 10gigabitethernet6-4.core1.ash1.he.net 49.821 ms 45.999 ms 52.751 ms
6 2001:504:0:2::2641:1 47.197 ms 46.748 ms 47.289 ms
7 xe-1-2-0.r1.bb-fo.chi2.vrsn.net 65.094 ms
    xe-0-2-0.r2.bb-fo.chi2.vrsn.net 66.441 ms
    xe-1-2-0.r1.bb-fo.chi2.vrsn.net 66.320 ms
8 2001:503:3227:14ff::2 66.448 ms
    2001:503:3227:13ff::2 101.761 ms 86.864 ms
9 2001:503:3227:13ff::2 69.818 ms !P
    2001:503:3227:14ff::2 69.311 ms !P
    2001:503:3227:13ff::2 68.662 ms !P

Tony_Tauber · May 1, 2012, 12:15pm

Path is not the same, but the last few replies similarly suggest
packet-filters (!X in my case vs. !P).
I can get to the whois port (TCP/43):

$ telnet -6 2001:503:3227:1060::74 whois
Trying 2001:503:3227:1060::74...
Connected to 2001:503:3227:1060::74.
Escape character is '^]'.

Can you?

Tony

TR_Shaw · May 1, 2012, 12:23pm

Nope sure can't

$ telnet -6 2001:503:3227:1060::74 whois
2001:503:3227:1060::74: nodename nor servname provided, or not known

Tom

Jaap_Akkerhuis · May 1, 2012, 12:32pm

Anyone else having problems getting to Verisign's whois server on IPv6?

whois -h 2001:503:ff39:1060::74 verisign-grs.com

works for me.

jaap

Mike_Simkins · May 1, 2012, 12:33pm

Seems to work for me....

mps31@lonsgnsu1:~$ telnet -6 2001:503:3227:1060::74 whois
Trying 2001:503:3227:1060::74...
Connected to 2001:503:3227:1060::74.
Escape character is '^]'.

mps31@lonsgnsu1:~$ whois -h 2001:503:3227:1060::74 =verisign.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: VERISIGN.COM
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com/en_US/
   Name Server: A2.NSTLD.COM
   Name Server: C2.NSTLD.NET
   Name Server: D2.NSTLD.NET
   Name Server: E2.NSTLD.NET
   Name Server: F2.NSTLD.COM
   Name Server: G2.NSTLD.COM
   Name Server: H2.NSTLD.NET
   Name Server: J2.NSTLD.NET
   Name Server: K2.NSTLD.NET
   Name Server: L2.NSTLD.COM
   Name Server: M2.NSTLD.NET
   Status: clientTransferProhibited
   Status: serverDeleteProhibited
   Status: serverTransferProhibited
   Status: serverUpdateProhibited
   Updated Date: 14-apr-2011
   Creation Date: 02-jun-1995
   Expiration Date: 01-jun-2012

Last update of whois database: Tue, 01 May 2012 12:29:12 UTC <<<

Mike Simkins Senior Network Engineer , Operations Engineering SunGard
Availability Services 25 Canada Square, London E14 5LQ

Jared_Mauch · May 1, 2012, 12:35pm

This looks to be more of an application issue for you.

The rest seems to work for me:

puck:~$ whois -h 2001:503:ff39:1060::74 verisign-grs.com
[Querying 2001:503:ff39:1060::74]
[2001:503:ff39:1060::74]

Whois Server Version 2.0

...

- Jared

Teun_Vink1 · May 1, 2012, 12:59pm

Testing it using the NLNOG ring (https://ring.nlnog.net) shows that 3
nodes have routing issues, 92 have no problems reaching Verisign's whois
server on IPv6. So there might be some routing issues.

Here's a (tad too crowded) graph showing the traceroutes from all ring
nodes: https://ring.nlnog.net/paste/p/pqux9kxpzhytnnmx

Regards,
Teun

Christopher_Morrow · May 1, 2012, 2:55pm

mtu problems perhaps? (I get a connect, but nothing after the initial banner ...

-chris

Mark_Andrews2 · May 1, 2012, 11:25pm

The server doesn't do PMTUD properly. Verisign were informed of this
a while back. How hard is it to let ICMPv6 PTB in so that PMTUD works?

% whois -h 2001:503:3227:1060::74 example.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
[stalls here forever]

The message is sent in 3 packet and you see packet 1 and 3, 2 is
lost and despite selective acks it is never seen.

Christopher_Morrow · May 2, 2012, 1:25am

that appears to be the case setting MSS to 1420 seems to work for
me (at home, on a janky tunneled setup, because you know... ipv6 is
'hard' for vz to do )

-chris