security.ubuntu.com not accessible in IPv6 (AAAA record missing in the DNS)

Bug #241305 reported by Alexandre Dulaunoy on 2008-06-19
610
This bug affects 77 people
Affects Status Importance Assigned to Milestone
Ubuntu Website - OBSOLETE
Undecided
Unassigned
update-manager (Ubuntu)
High
Unassigned

Bug Description

---------------------------------------
READ THIS BEFORE COMMENTING ON THIS BUG
---------------------------------------

security.ubuntu.com and archive.ubuntu.com have been IPv6 enabled since March 2013 (see comment #29 below). Their connectivity is monitored by both internal and 3rd party monitoring systems.

If you experience problems with IPv6 connectivity to the archive servers, please DO NOT comment on this bug. Instead, email <email address hidden> explaining the problem, and include the output of the following commands:

- date -u --rfc-3339=seconds
- ip -6 addr
- mtr -6 --report --no-dns -c 3 security.ubuntu.com
- host security.ubuntu.com # requires bind9-host to be installed
- ip -6 route get $(host security.ubuntu.com|awk '/has IPv6 address/ {print $NF}') # also requires bind9-host to be installed

---------------------------------------

Dear,

The apt source list for security update is by default configured to security.ubuntu.com.

When you have a system using only IPv6 (and having not access to IPv4 via NAT-PT), security.ubuntu.com is only reachable in IPv4.

It would be wise to configure an AAAA record to security.ubuntu.com to at least point to one of the many mirrors supporting IPv6 connectivity.

That would avoid system running natively in IPv6 to lack by default the security update.

Thanks a lot,

Kind regards

PS : I checked this as being a security vulnerability but this is more a configuration issue on the Ubuntu network infrastructure than a real security vulnerability:

A DNS AAAA request :

dig -t AAAA security.ubuntu.com

; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;security.ubuntu.com. IN AAAA

;; AUTHORITY SECTION:
ubuntu.com. 3600 IN SOA ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600

;; Query time: 134 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 19 15:17:39 2008
;; MSG SIZE rcvd: 98

Although I don't know enough about this stuff, any problem that causes users to not be able to get security updates is a security vulnerability. I'm going to flag/elevate it as such so we can get a developer to look at it as soon as possible. Thanks for reporting this bug.

I would not call this a security vulnerability. No computer sytem is at this point in time expected to use *only* IPv6 but to use *dual stacks* for the transition process. All IPv6-enabled system will still speak IPv4 and be able to reach the update servers.

I would not even call this a bug but a feature request but I do not know what to do about it. Should it be set to "invalid"?

On Thu, Jun 19, 2008 at 7:32 PM, Henning Eggers

<email address hidden> wrote:
> I would not call this a security vulnerability. No computer sytem is at
> this point in time expected to use *only* IPv6 but to use *dual stacks*
> for the transition process. All IPv6-enabled system will still speak
> IPv4 and be able to reach the update servers.

There are systems only using IPv6. We have four of them. I admit, this
is not very common but will be in the next few months. Nothing forbid
to have already IPv6-only system.

They are not dual-stack or don't use any NAT-PT or transition
mechanism to access IPv4 host.

> I would not even call this a bug but a feature request but I do not know
> what to do about it. Should it be set to "invalid"?

Is it a big deal for Ubuntu people to setup an AAAA record and
pointing to a friendly mirror already hosting security update and
available in IPv6 ? (a virtual host need to be setup on those friendly
mirrors)

Feel free to move the ticket to the team managing the Ubuntu
network/mirror infrastructure.

Thanks for your feedback

adulau

--
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov

Henning Eggers (henninge) wrote :

You are aware, though, that IPv6-only hosts are still a rare exception
on the open internet and that you must expect not being able to connect
to all services - like Ubuntu updates.

I am not saying that it wouldn't be a good idea to have at least one
update server accessible via IPv6 but it is neither a bug nor a security
vulnerabilty.

As a solution: Setup an apt mirror on a dual-stacked host in your
network. Look at the apt-mirror package for this purpose, it is quite
easy to do.

Alexandre Dulaunoy (adulau) wrote :

On Thu, Jun 19, 2008 at 8:13 PM, Henning Eggers <email address hidden> wrote:
> You are aware, though, that IPv6-only hosts are still a rare exception
> on the open internet and that you must expect not being able to connect
> to all services - like Ubuntu updates.
>
> I am not saying that it wouldn't be a good idea to have at least one
> update server accessible via IPv6 but it is neither a bug nor a security
> vulnerabilty.
>
> As a solution: Setup an apt mirror on a dual-stacked host in your
> network. Look at the apt-mirror package for this purpose, it is quite
> easy to do.

Yes I know. I'm already using an updated sources.list pointing to
ftp.belnet.be (serving the security mirror) in IPv6. In such case, I
don't need any dual-stacked host.

My point was just as security.ubuntu.com is the default sources.list,
this one should also serve it in IPv6.

It's up to you to decide but it personally think sooner is better than too late.

Thanks and enjoy your evening,

adulau

--
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov

Henning Eggers (henninge) wrote :

Actually, it's not up to me to decide ... ;-)

From what I could find out (on #canonical-sysadmins) there seem to be no definite plans for IPv6 connectivity of the repository servers. I will create an entry on the request tracker (https://rt.ubuntu.com usr/pw:ubuntu) to make sure this request will be remembered as soon as possible.

Henning Eggers (henninge) wrote :

A ticket concerning this issue has been opened on the request tracker (#2485). It is not a software bug.

Changed in update-manager:
status: Confirmed → Invalid
Ronny Roethof (ronny-roethof) wrote :

for now I suggest updating your /etc/apt/sources.list with the following:

sed -i 's/security.ubuntu.com/ftp.belnet.be\/mirror\/ubuntu.com/g' /etc/apt/sources.list

Just my 2 cents for IPv6 :)

Alexandre Dulaunoy (adulau) wrote :

I'm still wondering why security.ubuntu.com (used out-of-the-box as the security source for newly installation)
is not IPv6. In 2010, there are machines in IPv6 only. How can we contact the Ubuntu infrastructure maintainer to
add IPv6 support to security.ubuntu.com?

For sure, the trick to replace security.ubuntu.com by a mirror supporting IPv6 is fine but this should be by default...

dnmvisser (dnmvisser) wrote :

It is now February 2011 and still no IPv6 connectivity for security.ubuntu.com.
For instance my code repository system svn.terena.org is complaining.
I am planning to remove IPv4 from more systems, so +1 for some IPv6 connectivity.
Thanks

Alexandre Dulaunoy (adulau) wrote :

October 2011... when do you plan to have security.ubuntu.com in IPv6? It's now really common to have IPv6-only host.

Thank you,

Changed in update-manager (Ubuntu):
status: Invalid → Confirmed
Changed in update-manager (Ubuntu):
status: Confirmed → Invalid
Alexandre Dulaunoy (adulau) wrote :

I understand that is not a software bug but where this can be reported to be fixed? Thank you.

Mark Schouten (mark-prevented) wrote :

It has become clear to me, in the past couple of years, that Canonical isn't really interested in stuff like this. They don't really understand IPv6, and don't care enough to work on it. The only thing that officially runs IPv6 is because some people whined about that long enough in #ubuntu-mirrors, and because it is not probable that it breaks stuff. BTW: It's not Canonical that made that possible, but some mirroradmins of other companies (that do care).

So, IPv6 for Ubuntu will probably be on the same day that it has more users than Windows.

PS: This really is the wrong place for this bug. But 3.5 years of ignorance on Canonicals part calls for a rant of some kind.

Mark Schouten (mark-prevented) wrote :

Been there, done that. :)

Ronny Roethof (ronny-roethof) wrote :

Dear Canonical,

It's YEARS later now.. IPv6 is commonly used now too..
And still no simple AAAA records ??

if you can't get IPv6 to work, then at least create a lame :fff:: hybrid AAAA record.. ok it's lame, but then AT LEAST it resolvs to IPv4..

Come on, this is fucking ridiculous..

R

posted on the ubuntu.com RT as well.

Mark Schouten (mark-prevented) wrote :

It would be nice if Canonical thought about joining http://www.worldipv6launch.org/ . Microsoft has already adapted IPv6 fully (you SHOULD not even turn it of anymore in a Windows environment), so maybe that'll trigger Canonical.

Philipp Kern (pkern) wrote :

On Tue, Jan 24, 2012 at 04:30:50PM -0000, Ronny Roethof wrote:
> It's YEARS later now.. IPv6 is commonly used now too..
> And still no simple AAAA records ??
>
> if you can't get IPv6 to work, then at least create a lame :fff:: hybrid
> AAAA record.. ok it's lame, but then AT LEAST it resolvs to IPv4..

That wouldn't help anybody. That's what the A record is for.

My bet is that the firewalling and the upstream providers might not be
as ready as they should be, but I might be wrong. It's also likely
that it's not a priority.

> Come on, this is fucking ridiculous..

Keep your swearing to yourself. You're not helping anybody with it.

Thanks
Philipp Kern

At uds-p there was a IPv6 healthcheck session,

"Status of IPv6 support for Ubuntu core services like archive.ubuntu.com, archive.canonical.com, ntp.ubuntu.com, geoip.ubuntu.com, ... so we can have a perfectly working install in an IPv6 only environment"
http://summit.ubuntu.com/uds-p/meeting/19580/foundations-p-ipv6/

According to the blueprint on https://blueprints.launchpad.net/ubuntu/+spec/foundations-p-ipv6 there is some WIP on ipv6.archive.ubuntu.com to make archives available over ipv6. Unfortunately security.ubuntu.com isnt mentioned.

colomonkey (rosco) wrote :

Still nothing. When is this going to be fixed?

Andre Tomt (andre-tomt) wrote :

While IPv6 only networks are quite uncommon still (though they do exist), not having services on IPv6 has implications for ISP networks going forward. As major ISP's are deploying Carrier Grade NAT, every IPv4 only service makes their CGN and/or NAT64 boxes ever bigger and more expensive to operate.

Postponing it much longer is not beeing a good netizen, yo ;-)

Ryan Rawdon (flieslikeabrick) wrote :

Now that Ubuntu supports network installs over IPv6 (as of Oneiric?), the default repositories (including but not limited to the security updates repo) should really support IPv6. It is sad to see that Canonical's ASN isn't announcing any IPv6 prefixes nor has any IPv6 peers up yet. Many other Linux and BSD distributions are years ahead of Ubuntu for IPv6 support on the default, official repositories. Some of them have claimed to be and tested to be 100% compatible with an IPv6-only environment. I don't think Ubuntu can even consider claiming to be IPv6-only-compliant until the default repositories support it.

Indeed IPv6-only machines are uncommon, but Andre's statements about Carrier Grade NAT are true and growing in importance. IPv6-only devices are going to become more common as compute clusters and other environments which do not need to communicate with the outside network become common. I wouldn't be surprised if cloud providers (Amazon, Rackspace, Azure, etc) start offering IPv6-only instances in the near future. As far as I'm concerned, Ubuntu's lack of care for dogfooding themselves with IPv6-capable infrastructure heads down a road of precluding them from deployment in such environments.

(and yes, we do have some IPv6-only virtual machines on which I test our applications - these machines do not have NAT64'ed access to the outside world for updates, so we are forced to use an unofficial mirrors. This is in addition to many, many machines [ both virtual and physical] which are dual-stacked and are using unofficial IPv6-enabled mirrors)

Ryan Rawdon (flieslikeabrick) wrote :

Also - I don't see that anyone asked this before-

This doesn't sound like the ideal place for feature requests, if that's all that this qualifies as (though I think it deserves attention wherever it can get it). If this is not the ideal place, where should this be requested to get the proper attention as a feature request for Canonical's infrastructure? (and it really isn't a request just for the security repos; Canonical should be making progress towards adding IPv6 connectivity to all of its sites/infrastructure)

Ryan Rawdon (flieslikeabrick) wrote :

Just was referred to https://rt.ubuntu.com/Ticket/Display.html?id=2485 by someone on IRC.

Is there anyone who can get Canonical to review that ticket? It has been open for 4+ years and appears to have no official commentary and not resulted in any meaningful conversation/dialogue, let alone action. It's mildly concerning that a bug reporting workflow/process can result in a stale bug report for so long with no official review/action

Mark Schouten (mark-prevented) wrote :

@Ryan. As I've said before. Canonical doesn't care (actually I think they just don't know how the intarwebz work) about IPv6. I've been asking them in #ubuntu-mirrors for years. I've also asked them via mail. Someone I know even asked Mark Shuttleworth about it in some Q&A-session. Nothing happened.

I think this is the right place for this bug. The fact that it isn't even assigned to someone @Canonical says enough for me.

I've given up, I'll just use other mirrors that do support IPv6.

Matthias Niess (mniess) wrote :

The last blocks of IPv4 addresses have supplied to local registrars. That means we've run out. How is this not an issue?

Changed in ubuntu-website:
status: New → Confirmed

Please fix this issue.

We run an IPv6-only ISP and have servers we would rather not put behind NAT64 but are forced to at the moment.

This issue has been reported over 4 years ago, and has become a serious real-life problem for organisations. IANA (global supply) ran out of IPv4 addresses in February 2011. Shortly after that APNIC (Asia-Pacific supply) ran out. In September 2012 RIPE NCC (Europe/Middle-East/parts of Asia) ran out of IPv4 addresses.

Being able to run an IPv6-only network is increasingly important. Sure, hacks like NAT64/DNS64 exist. They form performance bottlenecks and single-points-of-failure in networks. Having native IPv6 support on an important service like security.ubuntu.com is important. Relying on 3rd party NAT64 boxes can even be a security risk (they would be the perfect place to do man-in-the-middle attacks).

The Canonical Sysadmins and the Ubuntu Security Team are notified of this issue, so I hope they take action as soon as possible. This is something that should have been fixed last year.

David Ames (thedac) wrote :

It is with great pleasure I can announce security.ubuntu.com as well as archive.ubuntu.com are now IPv6 enabled. Enjoy.

Changed in ubuntu-website:
status: Confirmed → Fix Released
Martin Bogomolni (martinbogo) wrote :

Hip hip... hurrah!!

On Mar 12, 2013, at 7:44 AM, David Ames <email address hidden> wrote:

> It is with great pleasure I can announce security.ubuntu.com as well as
> archive.ubuntu.com are now IPv6 enabled. Enjoy.
>
> ** Changed in: ubuntu-website
> Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are a member of IPv6 Task
> Force, which is subscribed to a duplicate bug report (493754).
> https://bugs.launchpad.net/bugs/241305
>
> Title:
> security.ubuntu.com not accessible in IPv6 (AAAA record missing in the
> DNS)
>
> Status in Ubuntu Website Product:
> Fix Released
> Status in “update-manager” package in Ubuntu:
> Invalid
>
> Bug description:
> Dear,
>
> The apt source list for security update is by default configured to
> security.ubuntu.com.
>
> When you have a system using only IPv6 (and having not access to IPv4 via NAT-PT),
> security.ubuntu.com is only reachable in IPv4.
>
> It would be wise to configure an AAAA record to security.ubuntu.com to at least
> point to one of the many mirrors supporting IPv6 connectivity.
>
> That would avoid system running natively in IPv6 to lack by default the security
> update.
>
> Thanks a lot,
>
> Kind regards
>
> PS : I checked this as being a security vulnerability but this is more a configuration issue
> on the Ubuntu network infrastructure than a real security vulnerability:
>
>
> A DNS AAAA request :
>
>
> dig -t AAAA security.ubuntu.com
>
> ; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;security.ubuntu.com. IN AAAA
>
> ;; AUTHORITY SECTION:
> ubuntu.com. 3600 IN SOA ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600
>
> ;; Query time: 134 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jun 19 15:17:39 2008
> ;; MSG SIZE rcvd: 98
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-website/+bug/241305/+subscriptions

Chris Martin (isiscorp) wrote :

This is great news, thanks everyone!

Mark Schouten (mark-prevented) wrote :

I happily welcome Canonical and Ubuntu to the wonderous world of the next generation internetz. :P Good work guys.

Great news!

Wesley George (wesgeorge-iv) wrote :

This only sort of works. While archive.ubuntu and security.ubuntu do indeed have AAAA records, if you actually disable IPv4, updates still fail. In 13.04, running software updater with IPv6-only connectivity produces the error "unable to get repository information" and recommends that you check your internet connection. This is during the initial check for updates. Wireshark shows it trying to reach us.archive.ubuntu.com and daisy.ubuntu.com, neither of which have AAAA records.

John Mann (john-mann) wrote :

Wesley,

The problem you have is probably location-specific.
e.g. fails in US, but should work in AU.

From where I am ...

$ host us.archive.ubuntu.com
us.archive.ubuntu.com has address 91.189.91.13
us.archive.ubuntu.com has address 91.189.91.14
us.archive.ubuntu.com has address 91.189.91.15

$ host au.archive.ubuntu.com
au.archive.ubuntu.com is an alias for mirror.aarnet.edu.au.
mirror.aarnet.edu.au has address 202.158.214.106
mirror.aarnet.edu.au has IPv6 address 2001:388:30bc:cafe::beef

NOTE: The other-country catch-all should work for IPv6-only

$ host cc.archive.ubuntu.com
cc.archive.ubuntu.com has address 91.189.91.13
cc.archive.ubuntu.com has address 91.189.91.14
cc.archive.ubuntu.com has address 91.189.91.15
cc.archive.ubuntu.com has address 91.189.92.156
cc.archive.ubuntu.com has address 91.189.92.176
cc.archive.ubuntu.com has address 91.189.92.177
cc.archive.ubuntu.com has address 91.189.92.201
cc.archive.ubuntu.com has address 91.189.92.202
cc.archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::15
cc.archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::19
cc.archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::1a
cc.archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::22
cc.archive.ubuntu.com has IPv6 address 2001:67c:1360:8c01::23

NOTE2: The A -only replies above are for servers that also have IPv6. e.g.

$ host 91.189.91.13
13.91.189.91.in-addr.arpa domain name pointer ragana.canonical.com.

$ host ragana.canonical.com.
ragana.canonical.com has address 91.189.91.13
ragana.canonical.com has IPv6 address 2001:67c:1360:4801::13

Wesley George (wesgeorge-iv) wrote :

Right. I mean, I can fix this locally by editing my apt-hosts, but the point I was making was more that it doesn't work in the default configuration, and the way to fix this is to ensure that all potential apt repos (or at least the ones that will be in the apt-hosts list by default) are IPv6-enabled.

Wesley George (wesgeorge-iv) wrote :

I'm pleased to report that this issue is resolved (at least for me) and I was able to successfully check for, download, and apply new updates with IPv4 completely disabled this morning. us.archive is sporting a shiny new AAAA record now. :-)

Jens Jorgensen (jbj1) wrote :

IPv6 updates fail for me though not because of AAAA records, but rather because the web site doesn't seem to be configured on the IPv6 side:

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/quantal-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 2001:67c:1360:8c01::18 80]

Jelmer Vernooij (jelmer) wrote :

On Mon, Aug 25, 2014 at 08:35:58AM -0000, Jens Jorgensen wrote:
> IPv6 updates fail for me though not because of AAAA records, but rather
> because the web site doesn't seem to be configured on the IPv6 side:
>
> W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/quantal-
> security/multiverse/binary-amd64/Packages 404 Not Found [IP:
> 2001:67c:1360:8c01::18 80]
I don't think this is a misconfiguration. quantal is out of support.

http://security.ubuntu.com/ubuntu/dists/ seems reasonable otherwise.

Cheers,

Jelmer

--
Jelmer Vernooij <email address hidden> - https://jelmer.uk/

Mark A. Ziesemer (ziesemer) wrote :

This again appears to be broken, for both security.ubuntu.com and us.archive.ubuntu.com, at least.

Exactly as Jens had noted above - this is (also) an issue with AAAA records being provided, but not accessible. Though security.ubuntu.com appears to be in ever-so-slightly better shape than security.ubuntu.com.

Some current DNS lookups as of this writing:

security.ubuntu.com has AAAA address 2001:67c:1360:8c01::18
security.ubuntu.com has AAAA address 2001:67c:1562::17
security.ubuntu.com has AAAA address 2001:67c:1562::13
security.ubuntu.com has AAAA address 2001:67c:1562::15
security.ubuntu.com has AAAA address 2001:67c:1360:8c01::19
security.ubuntu.com has AAAA address 2001:67c:1562::16
security.ubuntu.com has AAAA address 2001:67c:1562::14

us.archive.ubuntu.com has AAAA address 2001:67c:1562::14
us.archive.ubuntu.com has AAAA address 2001:67c:1562::16
us.archive.ubuntu.com has AAAA address 2001:67c:1562::13
us.archive.ubuntu.com has AAAA address 2001:67c:1562::17
us.archive.ubuntu.com has AAAA address 2001:67c:1562::15

None of the 2001:67c:1562:: addresses are responding by IPv6, either over ping or HTTP. The two 2001:67c:1360:8c01:: addresses for security.ubuntu.com are properly responding, however.

Please investigate and resolve. Thanks!

Chris Johnston (cjohnston) wrote :

Mark, do you use HE?

Mark A. Ziesemer (ziesemer) wrote :

> do you use HE?

Why, yes! Is this a known issue?

(For anyone else's reference, HE being Hurricane Electric Internet Services <http://he.net/> - and in my case, their IPv6 Tunnel Broker <https://tunnelbroker.net/>.)

I have had native IPv6 available from my ISP for a while now - but the last time I checked, they didn't support static IPs, which makes addressing a LAN a bit difficult, otherwise. Hence, HE...

Everything here was working for at least a year prior to maybe just over a month ago, so whatever is happening here must be somewhat new / recent?

Chris Johnston (cjohnston) wrote :

IIRC it is a routing issue on HE's side.

Mark A. Ziesemer (ziesemer) wrote :

Thanks, Chris. Further references for anyone else looking at this:

- https://forums.he.net/index.php?topic=3345.0 (probably the one you saw?)
- https://forums.he.net/index.php?topic=2911.15
- Bug #1412943

Kenyon Ralph (kralph) wrote :

So, looks like a routing issue with Telia or Internap, not HE.

To me this looks solved, isn't it? IPv6 rules btw

Martin Bogomolni (martinbogo) wrote :

Solved for me.. seems to work.

On Mon, Apr 27, 2015 at 10:32 AM, Peter Brille <email address hidden> wrote:
> To me this looks solved, isn't it? IPv6 rules btw
>
> --
> You received this bug notification because you are a member of IPv6 Task
> Force, which is subscribed to a duplicate bug report (493754).
> https://bugs.launchpad.net/bugs/241305
>
> Title:
> security.ubuntu.com not accessible in IPv6 (AAAA record missing in the
> DNS)
>
> Status in The ubuntu.com website project:
> Fix Released
> Status in update-manager package in Ubuntu:
> Invalid
>
> Bug description:
> Dear,
>
> The apt source list for security update is by default configured to
> security.ubuntu.com.
>
> When you have a system using only IPv6 (and having not access to IPv4 via NAT-PT),
> security.ubuntu.com is only reachable in IPv4.
>
> It would be wise to configure an AAAA record to security.ubuntu.com to at least
> point to one of the many mirrors supporting IPv6 connectivity.
>
> That would avoid system running natively in IPv6 to lack by default the security
> update.
>
> Thanks a lot,
>
> Kind regards
>
> PS : I checked this as being a security vulnerability but this is more a configuration issue
> on the Ubuntu network infrastructure than a real security vulnerability:
>
>
> A DNS AAAA request :
>
>
> dig -t AAAA security.ubuntu.com
>
> ; <<>> DiG 9.4.1-P1 <<>> -t AAAA security.ubuntu.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26872
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;security.ubuntu.com. IN AAAA
>
> ;; AUTHORITY SECTION:
> ubuntu.com. 3600 IN SOA ns1.canonical.com. hostmaster.canonical.com. 2008061805 10800 3600 604800 3600
>
> ;; Query time: 134 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jun 19 15:17:39 2008
> ;; MSG SIZE rcvd: 98
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-website/+bug/241305/+subscriptions

Mathias Menzer (mfm) wrote :

Seems to be okay now. I guess the bug can be closed.

In this thread (askubuntu.com/questions/272796/connecting-to-archive-ubuntu-com-takes-too-long) I find a solution, that is

to edit /etc/gai.conf and uncommenting the line:

________________________
#
# For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96 100
________________________

Felipe: changing the preference level of IPv4 is not related to this thread, which is about IPv6 connectivity.

Michael Würtinger (michlel) wrote :

This problem appears again for me:

$ host security.ubuntu.com
security.ubuntu.com has address 91.189.91.14
security.ubuntu.com has address 91.189.91.24
security.ubuntu.com has address 91.189.92.201
security.ubuntu.com has address 91.189.91.23
security.ubuntu.com has address 91.189.91.13
security.ubuntu.com has address 91.189.92.200
security.ubuntu.com has address 91.189.91.15
security.ubuntu.com has address 91.189.88.153
security.ubuntu.com has address 91.189.88.152
security.ubuntu.com has IPv6 address 2001:67c:1560:8001::13
security.ubuntu.com has IPv6 address 2001:67c:1562::16
security.ubuntu.com has IPv6 address 2001:67c:1562::15
security.ubuntu.com has IPv6 address 2001:67c:1360:8c01::18
security.ubuntu.com has IPv6 address 2001:67c:1562::17
security.ubuntu.com has IPv6 address 2001:67c:1560:8001::11
security.ubuntu.com has IPv6 address 2001:67c:1562::14
security.ubuntu.com has IPv6 address 2001:67c:1360:8c01::19

The first IPv6 server in the list (2001:67c:1560:8001::13) does not respond at all:
$ curl -v [2001:67c:1560:8001::13]
* Rebuilt URL to: [2001:67c:1560:8001::13]/
* Trying 2001:67c:1560:8001::13...
* connect to 2001:67c:1560:8001::13 port 80 failed: No route to host
* Failed to connect to 2001:67c:1560:8001::13 port 80: No route to host
* Closing connection 0
curl: (7) Failed to connect to 2001:67c:1560:8001::13 port 80: No route to host

I tried that from two different IPv6 networks, same result.

The other IPv6 hosts return different results for /, I'm not sure if this is intended but it doesn't look good:
2001:67c:1562::16 -> Apache2 Ubuntu Default Page
2001:67c:1562::15 -> Index of /
2001:67c:1360:8c01::18 -> Index of /
2001:67c:1562::17 -> Apache2 Ubuntu Default Page
2001:67c:1560:8001::11 -> Apache2 Ubuntu Default Page
2001:67c:1562::14 -> It works!
2001:67c:1360:8c01::19 -> Index of /

All in all this issue is very annoying since IPv6 is in wide spread use now and it keeps people from installing security updates.

Ryan Rawdon (flieslikeabrick) wrote :

Michael #51 - that is not what this bug report is about. This issue was requesting that IPv6 support be added to security.ubuntu.com in the first place (back before it had AAAA records). I suggest that you look for a more recent bug report mathcing your symtoms, or open a new one. For what it's worth, I can confirm your the issue you are seeing and it does look like it needs to be addressed by Ubuntu SysAdmins.

Haw Loeung (hloeung) wrote :

@michlel and @flieslikeabrick, 2001:67c:1560:8001::13 (cherufe.canonical.com) was fixed around 23rd when it was first discovered.

| $ curl -v [2001:67c:1560:8001::13]
| * Rebuilt URL to: [2001:67c:1560:8001::13]/
| * Trying 2001:67c:1560:8001::13...
| * Connected to 2001:67c:1560:8001::13 (2001:67c:1560:8001::13) port 80 (#0)

BabyBat (babybat) wrote :

Same problem (now with archive.ubuntu.org):
curl -vg [2001:67c:1360:8c01::18]
* Rebuilt URL to: [2001:67c:1360:8c01::18]/
* Hostname was NOT found in DNS cache
* Trying 2001:67c:1360:8c01::18...
* connect to 2001:67c:1360:8c01::18 port 80 failed: Connection timed out
* Failed to connect to 2001:67c:1360:8c01::18 port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to 2001:67c:1360:8c01::18 port 80: Connection timed out

Here is "dig -t AAAA archive.ubuntu.com" output:

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -t AAAA archive.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57059
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;archive.ubuntu.com. IN AAAA

;; ANSWER SECTION:
archive.ubuntu.com. 266 IN AAAA 2001:67c:1360:8c01::18
archive.ubuntu.com. 266 IN AAAA 2001:67c:1560:8001::11
archive.ubuntu.com. 266 IN AAAA 2001:67c:1562::16
archive.ubuntu.com. 266 IN AAAA 2001:67c:1562::19
archive.ubuntu.com. 266 IN AAAA 2001:67c:1360:8c01::19
archive.ubuntu.com. 266 IN AAAA 2001:67c:1360:8001::17

;; AUTHORITY SECTION:
ubuntu.com. 516 IN NS ns4.p27.dynect.net.
ubuntu.com. 516 IN NS ns2.p27.dynect.net.
ubuntu.com. 516 IN NS ns3.p27.dynect.net.
ubuntu.com. 516 IN NS ns1.p27.dynect.net.

;; Query time: 0 msec
;; SERVER: 10.1.94.8#53(10.1.94.8)
;; WHEN: Thu Apr 14 13:59:28 MSK 2016
;; MSG SIZE rcvd: 301

BabyBat (babybat) on 2016-04-14
description: updated
Paul Gear (paulgear) wrote :

@babybat and all future commenters on this bug: regarding any connectivity issues to Ubuntu IPv6 addresses, please email <email address hidden> instead of adding comments to this bug.

Paul Gear (paulgear) on 2017-06-02
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.