Re: IPv6 woes - RFC

I concur that the problem is not a routing hardware problem. It's a perception problem with the various ISPs. I have fiber service with AT&T.

My little server farm endpoints all have IPv6 addresses, including the edge router. I also have a plan to allocate IPv6 addresses to my LAN devices, and to protect the LAN devices from outside interference by rules in the NFTABLES firewall that include connection tracking on outbound requests. (IPv4 will still use NAT to keep nefarious people from probing my internals.)

Specifically, when I was doing my mail server refresh (moving from Red Hat to Canonical) I decided it was time to offer IPv6 connectivity in the mail server to "future proof" my setup. That included adding AAAA records in my DNS zone files. Failure! The issues:

1. I learned that there are no "static addresses" in IPv6, as far as AT&T was concerned. By all appearances, though, the IPv6 /64 is relatively static, for now, similar to the way that early cable modem deployments kept the same IPv4 addresses. (Until the cable people started forcing changes on DHCP lease renewal, that is.)

2. My request for PTR records was denied, which means I can't satisfy Best Practices for a mail server in the IPv6 space. No PTR records, no redirection of ip6.apra space, nothing. I include AT&T's refusal below.

3. I don't know how to get an IPv6 allocation from ARIN, how to request AT&T to route it, or how to deal with the DNS server issues. Oh, I know how to configure BIND9; I would prefer using a 24/7/365 provider. For example, my master zone files are with Register.com, so if my circuit goes down the name resolution still happens. Register.com appears not to provide reverse-DNS PTR zone support (in6.arpa). A Google search turned up NOTHING for in6.arpa hosting.

That tells me that IPv6 is not "Internet Ready" for small users. Given the level of FU responses I get trying to work with it, I will stop banging my head against the wall.

So I stick with IPv4, because that will be the "standard" until the day I die, as far as I can tell.

(I removed the AAAA record, so as not to confuse mail server that DO operate IPv6.)

Subject: RE: Need IPv6 PTR record for my IPv6 mail server
Date: Mon, 19 Jul 2021 12:52:53 +0000
From: Prov-DNS <prov-dns@att.com>
To: Prov-DNS <prov-dns@att.com>, att@satchell.net <att@satchell.net>

Hello We don't process DNS request on IPv6 addresses. We only process DNS
request on IPv4 static assigned addresses. If you would like us to
process a DNS request for you on a IPv4 address please provide the
following information.

IPv4 address you would like the record created for Host name you would > like that IP address pointed to

>

Thanks
Michael AT&T Prov-DNS

From: Stephen Satchell <att@satchell.net>
Sent: Friday, July 16, 2021 5:42 PM
To: DNSUpdates cB <g12988@att.com>
Subject: Need IPv6 PTR record for my IPv6 mail server

Here is the record I need inserted into your ip6.arpa DNS zone:

2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.d.d.0.b.9.7.0.0.7.1.0.0.6.2.ip6.arpa. 0 IN PTR smtp.satchell.net.

It tells you that AT&T don’t treat IPv6 on equal footing to IPv4 and nothing more.

There is nothing at the protocol level stopping AT&T offering a similar level of service. Don’t equate poor implementation with the protocol being broken.

According to Mark Andrews <marka@isc.org>:

It tells you that AT&T don’t treat IPv6 on equal footing to IPv4 and nothing more.

Indeed but since AT&T is about 1/4 of the US broadband market, and our screwed up telco
politics means there is often no practical competitor available, that's a big problem.

R's,
John

PS: that's separate from what he said about equipment which nomninally has v6 support but not
in a way that you can actually use.

I haven’t tried the PTR thing yet, but I do have a small business client that has AT&T business internet and they were able to get a static /56 (For some reason, AT&T refused to do a /48, but we did push them on it.)

If it turns out they won’t do PTR or more likely NS for our ip6.arpa zone, then we’ll probably start looking for an alternative provider or get an HE /48 over a tunnel which will do PTR or NS records appropriately.

Owen

I haven’t tried the PTR thing yet, but I do have a small business client that has AT&T business internet and they were able to get a static /56 (For some reason, AT&T refused to do a /48, but we did push them on it.)

When I checked, there were NO options for ANY static IPv6. Perhaps the devil is in the details of my particular "business Internet" package. If "package" is the right term; I use them only for upstream connectivity and rental of IP (and IPv6) addresses.

If it turns out they won’t do PTR or more likely NS for our ip6.arpa zone, then we’ll probably start looking for an alternative provider

That's the problem with a facilities-based ISP, there are no alternative providers. Oh, sure, I could get Spectrum here. Indeed, I had a circuit: when I had their business service I had even more problems with them than I do with this one.

or get an HE /48 over a tunnel which will do PTR or NS records appropriately.

Hurricane Electric? Seriously? I had them when I was working at a web host company quite a while ago. Have they improved their service desk? The downside is that I would have a serial pair of points of failure for my connectivity.

IPv6 was supposed to SOLVE the problems, not create more problems.

I look back longingly to that product from the 80s: Internet-in-a-box.

I also remember the birth of Interop, when I visited Telebit at a session to work out the interoperability snags in PPP implementations among a handful of vendors.

It appears that Stephen Satchell <list@satchell.net> said:

or get an HE /48 over a tunnel which will do PTR or NS records appropriately.

Hurricane Electric? Seriously?

I've been using HE's free ipv6 tunnels for ten years. They work great.
I don't ever recall any downtime. They assign you a /64 by default,
/48 on request, and delegate the rDNS wherever you want. One points at my server which
is in a rack somewhere, one points at the router on my home fiber connection.

Since I set it up they filter port 25 by default for obvious reasons but will unblock
if you ask nicely and sound like you know what you're doing. Geolocation doesn't work,
and now and then someone (Wikipedia) decides it's an evil VPN and blocks or filters it
but I haven't found that to be much of a problem in practice.

R's,
John