No IPv6 for deb.nodesource.com

[igalic]

Hi folks,

i'd like to report an issue with deb.nodesource.com:

igalic@levix ~> dig in AAAA deb.nodesource.com

; <<>> DiG 9.9.5-9ubuntu0.3-Ubuntu <<>> in AAAA deb.nodesource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47273
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deb.nodesource.com.            IN      AAAA

;; AUTHORITY SECTION:
nodesource.com.         10800   IN      SOA     rodney.ns.cloudflare.com. dns.cloudflare.com. 2019875292 10000 2400 604800 3600

;; Query time: 15 msec
;; SERVER: 10.1.7.42#53(10.1.7.42)
;; WHEN: Tue Nov 10 22:17:02 CET 2015
;; MSG SIZE  rcvd: 108

igalic@levix ~>

it's unreachable via IPv6, so we have to use workarounds like dns64 to get it installed.

[bastelfreak]

👍 for fixing this. Could you please deploy IPv6?

[ehwat]

+1

[igalic]

what i find bizarre is that this is hosted on cloudflare, and it's not just supported out of the box

[rvagg]

It's not hosted on CloudFlare, just the DNS is, we'll have to enable ipv6 on the box and update DNS for it. I've got it on my TODO list.

[igalic]

💜

[rotanid]

clodflare translates from IPv6 to your boxes IPv4, you just have to activate it in your cloudflare account - many websites use this feature

[bastelfreak]

Hi,
how is the current state @rvagg, any updates?

[rvagg]

I think this is good to go now .. had a few issues with DNS and I'm not on an ipv6 connection atm to test. Let me know how it goes.

[rvbhute]

I am getting errors since last couple of days.

W: Failed to fetch https://deb.nodesource.com/node_4.x/dists/trusty/main/binary-amd64/Packages Failed to connect to deb.nodesource.com port 443: Network is unreachable

Attaching gist with curl -v command output. Connecting via VPN or another ISP does not give this error.

https://gist.github.com/rvbhute/2dac82a5a5d40ebc9c2b

[bastelfreak]

@rvagg it is possible that your IPv6 in general is broken, can you connect to other services like google.com?

@rvagg it is working fine, thanks:

$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
*   Trying 2604:a880:1:20::13b:b001...
* Connected to deb.nodesource.com (2604:a880:1:20::13b:b001) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: Apr 20 00:00:00 2015 GMT
*    expire date: Jun 13 12:00:00 2018 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> Host: deb.nodesource.com
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Fri, 08 Jan 2016 10:39:17 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact

[daenney]

Do note that because of the redirect to Github, which doesn't do IPv6, this still won't work for a system that can not talk IPv4. If you let curl follow the redirect:

* Connected to github.com (192.30.252.130) port 443 (#0)

If you can turn this into a Github Pages, then using a CNAME at Cloudflare to point it this way and send the traffic through the Cloudflare network instead (not just the DNS lookup) Cloudflare will proxy the request for you and will then be delivered over IPv6.

[rvbhute]

I am on IPv4, on all 3 ISPs. All other traffic (browser, xmpp, apt updates from other repos) is fine. The connection which has a problem right now also used to work fine till about three days ago more or less (around the same time the DNS was updated) which is why I don't think it is an ISP problem.

Running the curl test, for other two ISPs (ADSL and 3G hotspot), it shows Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable and then successfully connects to deb.nodesource.com on its resolved IPv4 address.

First output is the one where it fails

rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* connect to 2604:a880:1:20::13b:b001 port 443 failed: Network is unreachable
* Failed to connect to deb.nodesource.com port 443: Network is unreachable
* Closing connection 0
curl: (7) Failed to connect to deb.nodesource.com port 443: Network is unreachable

Trying with the IP address

rohit@ryujin:~$ curl -v https://192.241.233.42
* Rebuilt URL to: https://192.241.233.42/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
* Connected to 192.241.233.42 (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
* SSL: certificate subject name '*.nodesource.com' does not match target host name '192.241.233.42'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name '*.nodesource.com' does not match target host name '192.241.233.42'

These two are from ISPs that work correctly. Apologies for the wall of text.

rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable
* Connected to deb.nodesource.com (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: deb.nodesource.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 08 Jan 2016 10:47:40 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact

rohit@ryujin:~$ curl -v https://deb.nodesource.com
* Rebuilt URL to: https://deb.nodesource.com/
* Hostname was NOT found in DNS cache
*   Trying 192.241.233.42...
*   Trying 2604:a880:1:20::13b:b001...
* Immediate connect fail for 2604:a880:1:20::13b:b001: Network is unreachable
* Connected to deb.nodesource.com (192.241.233.42) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=US; ST=CA; L=Anaheim; O=Node Source, LLC; CN=*.nodesource.com
*    start date: 2015-04-20 00:00:00 GMT
*    expire date: 2018-06-13 12:00:00 GMT
*    subjectAltName: deb.nodesource.com matched
*    issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: deb.nodesource.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 08 Jan 2016 10:48:34 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: https://github.com/nodesource/distributions
< Strict-Transport-Security: max-age=15552000
< 
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host deb.nodesource.com left intact

[rvagg]

OK folks, we're getting reports of problems from a number of sources so for now we're moving the IPv6 address onto deb6.nodesource.com and rpm6.nodesource.com, leaving the vanilla ones IPv4-only. If you want to use IPv6 then switch hostnames in /etc/apt/sources.list*.

[retrohacker]

This appears to have been resolved. Adding the deb6 and rpm6 urls to the FAQ section in #308

[retrohacker]

If IPv6 support is still a problem, feel free to reopen this issue and we can explore.

[rotanid]

1. i can't find it in the FAQ section
2. you didn't fix it, dual-stack was asked here and providing a different URL is not a solution for that

[retrohacker]

Thanks, @rotanid,

I pulled the trigger too quickly on closing this issue during the cleanup of this repo. It has been re-opened. Sorry!

[rvagg]

can anyone point to an existing successfully dual-stack APT repo that we can poke at? I'm not seeing how we can achieve this and work around the problems that folks experienced when we turned on dual-stack.

[rotanid]

like "ftp.debian.org"? that would be a big APT repo with dual-stack.

[rvagg]

mm, good one, so we need to work out why resolution order was messing up for people when we switched it on in the first place

[mweagle]

Hi @igalic - we have migrated to CloudFront for hosting and it currently does not support ipv6 related. When it becomes available we will add support soon afterwards.

Ref: #353 (comment)

[meteormatt]

https://aws.amazon.com/cn/about-aws/whats-new/2016/10/ipv6-support-for-cloudfront-waf-and-s3-transfer-acceleration/

[chrislea]

We've supported ipv6 since CloudFront supported it. Here's the lookup from my laptop:

[chl@ilmare ~]$ host deb.nodesource.com
deb.nodesource.com is an alias for d2buw04m05mirl.cloudfront.net.
d2buw04m05mirl.cloudfront.net has address 54.192.139.6
d2buw04m05mirl.cloudfront.net has address 54.192.139.10
d2buw04m05mirl.cloudfront.net has address 54.192.139.25
d2buw04m05mirl.cloudfront.net has address 54.192.139.34
d2buw04m05mirl.cloudfront.net has address 54.192.139.61
d2buw04m05mirl.cloudfront.net has address 54.192.139.75
d2buw04m05mirl.cloudfront.net has address 54.192.139.154
d2buw04m05mirl.cloudfront.net has address 54.192.139.176
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:3800:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:3c00:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:5a00:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:7800:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:9800:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:b000:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:d200:1f:6523:6040:93a1
d2buw04m05mirl.cloudfront.net has IPv6 address 2600:9000:201d:d800:1f:6523:6040:93a1

[kwakkel1000]

Is deb.nodesource.com back to IPv4 only?

host deb.nodesource.com
deb.nodesource.com has address 54.192.129.224
deb.nodesource.com has address 54.192.129.96
deb.nodesource.com has address 54.192.129.140
deb.nodesource.com has address 54.192.129.247
deb.nodesource.com has address 54.192.129.43
deb.nodesource.com has address 54.192.129.183
deb.nodesource.com has address 54.192.129.123
deb.nodesource.com has address 54.192.129.119

I'm not sure since when (but not more then i week i think).
I actually think its since today (i see some caching where it still points to the CNAME where it still has AAAA)

[chrislea]

Thanks for the head's up @kwakkel1000. We just switched DNS authority and the IPV6 info didn't switch with it. We've updated accordingly and it should be fixed as soon as the update propagates (if not already). Here's from my home machine right now:

chl@luthien:~$ host deb.nodesource.com
deb.nodesource.com has address 54.230.86.17
deb.nodesource.com has address 54.230.86.54
deb.nodesource.com has address 54.230.86.100
deb.nodesource.com has address 54.230.86.175
deb.nodesource.com has address 54.230.86.198
deb.nodesource.com has address 54.230.86.210
deb.nodesource.com has address 54.230.86.224
deb.nodesource.com has address 54.230.86.239
deb.nodesource.com has IPv6 address 2600:9000:201e:2600:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:4a00:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:7400:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:7e00:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:b800:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:ba00:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:c400:1f:6523:6040:93a1
deb.nodesource.com has IPv6 address 2600:9000:201e:d400:1f:6523:6040:93a1