On 2/1/2024 22:50, Tim Chown wrote:
I suppose 80 being open these days is a ‘fail’ of sorts… but probably
best not to rathole into non IP-specific issues (we tend to use
https://www.ssllabs.com/ssltest/ <https://www.ssllabs.com/ssltest/>) and
rather highlight differences in v4 and v6 behaviour that the sites may
be unaware of.
I believe (and so does my script :-) that port 80 is the starting point
so it should be open but it should have a 301 (Moved Permanently)
redirect to port 443, where TLS is correctly implemented.
In the slightly different case where the redirect points to a location
that doesn't have a AAAA the script will mark this as a failure with
"redirect lacks AAAA".
We have some unusual behaviour for jisc.ac.uk, that varies for v4/v6 and
whether the www is prepended. I think this is being worked on.
The typical problem child is that www.$domain has A and AAAA records and
there is a "web service" listening on those addresses which has some
sort of redirect to just $domain. Sadly it only has a A record and this
results in my script being sad, and you get the forementioned diagnostic.
And thanks for the tools :)
You're welcome, and good luck herding the cats.
Mark.
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/ipv6-wg
