On 11/17/16, Matthew Kaufman <matt...@matthew.at> wrote: > I sent email there and to another contact I had at the time.
and the response was? > And I'm not going to break my users by turning IPv6 back on, so someone > else will need to work with them. That's fine, but until someone is willing to work with them don't expect it to get fixed. Regards, Lee > > Matthew Kaufman > > On Thu, Nov 17, 2016 at 9:48 AM Lee <ler...@gmail.com> wrote: > >> On 11/16/16, Matthew Kaufman <matt...@matthew.at> wrote: >> > The good news is that I reported this particular site as a problem two >> and >> > three years ago, both, and it isn't any worse. >> >> did you contact Pay.gov Customer Service at: >> 800-624-1373 <(800)%20624-1373> (Toll free, Option #2) >> or send an email to >> pay.gov.c...@clev.frb.org >> >> I just called, but I can't duplicate the problem and they need to work >> with someone that is having a problem reaching the site. >> >> Regards, >> Lee >> >> >> > >> > Matthew Kaufman >> > On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <ma...@isc.org> wrote: >> > >> >> >> >> In message <cc8936b2-1396-4375-85aa-a0247fd78...@consulintel.es>, >> >> JORDI >> >> PALET M >> >> ARTINEZ writes: >> >> > I think it is not just a matter of testing behind a 1280 MTU, but >> about >> >> makin >> >> > g sure that PMTUD is not broken, so it just works in any >> circumstances. >> >> > >> >> > Regards, >> >> > Jordi >> >> >> >> If you don't do MSS fix up a 1280 link in the middle will find PMTUD >> >> issues >> >> provided the testing host has a MTU > 1280. >> >> >> >> Mark >> >> >> >> > -----Mensaje original----- >> >> > De: NANOG <nanog-boun...@nanog.org> en nombre de Mark Andrews < >> >> ma...@isc.org> >> >> > Responder a: <ma...@isc.org> >> >> > Fecha: jueves, 17 de noviembre de 2016, 9:26 >> >> > Para: Lee <ler...@gmail.com> >> >> > CC: <nanog@nanog.org> >> >> > Asunto: Re: pay.gov and IPv6 >> >> > >> >> > >> >> > In message >> >> <cad8gwsvetsmn1ssfk_adttkheog0e1zfxrld11fpkbpjghm...@mail.gmai >> >> > l.com> >> >> > , Lee writes: >> >> > > On 11/16/16, Mark Andrews <ma...@isc.org> wrote: >> >> > > > >> >> > > > In message <1479249003.3937.6.ca...@ns.five-ten-sg.com>, >> >> > Carl >> >> Byingto >> >> > n >> >> > > > writes >> >> > > > : >> >> > > >> -----BEGIN PGP SIGNED MESSAGE----- >> >> > > >> Hash: SHA512 >> >> > > >> >> >> > > >> Following up on a two year old thread, one of my clients >> >> > just >> >> hit th >> >> > is >> >> > > >> problem. The failure is not that www.pay.gov is not >> reachable >> >> over i >> >> > pv6 >> >> > > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the >> port >> >> 443 >> >> > > >> connection, but the connection then hangs waiting for the >> >> > TLS >> >> handsh >> >> > ake. >> >> > > >> >> >> > > >> openssl s_client -connect www.pay.gov:443 >> >> > > >> >> >> > > >> openssl s_client -servername www.pay.gov -connect >> >> 199.169.192.21:443 >> >> > > >> >> >> > > >> Browsers (at least firefox) see that as a very slow site, >> >> > and >> >> it doe >> >> > s >> >> > > >> not trigger their happy eyeballs fast failover to ipv4. >> >> > > > >> >> > > > Happy eyeballs is about making the connection not whether >> >> > TCP >> >> > > > connections work after the initial packet exchange. >> >> > > > >> >> > > > I would send a physical letter to the relevent Inspector >> >> > General >> >> > > > requesting that they ensure all web sites under their >> >> juristiction >> >> > > > that are supposed to be reachable from the public net get >> >> > audited >> >> > > > regularly to ensure that IPv6 connections work from public >> >> > IP >> >> space. >> >> > > >> >> > > That will absolutely work. >> >> > > >> >> > > NIST is still monitoring ipv6 .gov sites >> >> > > https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov >> >> > >> >> > Which show green which means that the tests they are doing are >> >> > not >> >> > sufficient. They need to test from behind a 1280 mtu link. >> >> > >> >> > The DNSSEC testing is also insufficient. 9-11commission.gov >> shows >> >> > green for example but if you use DNS COOKIES (which BIND 9.10.4 >> and >> >> > BIND 9.11.0 do) then servers barf and return BADVERS and >> validation >> >> > fails. QWEST you have been informed of this already. >> >> > >> >> > Why the hell should validating resolver have to work around the >> >> > crap you guys are using? DO YOUR JOBS which is to use RFC >> >> > COMPLIANT >> >> > servers. You get PAID to do DNS because people think you are >> >> > compentent to do the job. Evidence shows otherwise. >> >> > >> >> > https://ednscomp.isc.org/compliance/gov-full-report.html show >> >> > the >> >> broken >> >> > servers for .gov. It isn't hard to check. >> >> > >> >> > > so the IG isn't going to do anything there & pay.gov has a >> >> contact us p >> >> > age >> >> > > https://pay.gov/public/home/contact >> >> > > that I'd bet works much better than a letter to the IG >> >> > >> >> > You have to be able to get to >> >> > https://pay.gov/public/home/contact >> >> to use >> >> > it. Most people don't have the skill set to force the use of >> IPv4. >> >> > >> >> > If it is production it should work. It is the I-G's role to >> ensure >> >> this >> >> > happens. Butts need to kicked. >> >> > >> >> > Mark >> >> > >> >> > > Regards, >> >> > > Lee >> >> > -- >> >> > Mark Andrews, ISC >> >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia >> >> > PHONE: +61 2 9871 4742 <+61%202%209871%204742> >> INTERNET: ma...@isc.org >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > ********************************************** >> >> > IPv4 is over >> >> > Are you ready for the new Internet ? >> >> > http://www.consulintel.es >> >> > The IPv6 Company >> >> > >> >> > This electronic message contains information which may be privileged >> or >> >> confi >> >> > dential. The information is intended to be for the use of the >> >> individual(s) n >> >> > amed above. If you are not the intended recipient be aware that any >> >> disclosur >> >> > e, copying, distribution or use of the contents of this information, >> >> includin >> >> > g attached files, is prohibited. >> >> > >> >> > >> >> > >> >> -- >> >> Mark Andrews, ISC >> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> >> PHONE: +61 2 9871 4742 <+61%202%209871%204742> >> INTERNET: ma...@isc.org >> >> >> > >> >