Any chance you can break down certificates issued via IPv6 on the cert stats page?
This would be a great indicator of IPv6 uptake.
6 Likes
If you're going to single IPv6 out, then you should also show IPv4.
If you're going down that route.., why not breakdown the three types of authentication also:
DNS-01-
HTTP-01[IPv6 / IPv4] -
TLS-ALPN-01[IPv6 / IPv4]
Did we miss anyone?
[it doesn't hurt to ask... maybe Santa will bring us more visibility into these things]
8 Likes
Really, with all three challenge types, it might be neat to see whether the DNS server was reached over IPv4 or IPv6, too.
I bet that Let's Encrypt has higher priorities to work on though, even though the stats would be interesting.
10 Likes
No. This would be the greatest indicator of IPv6 uptake.
Brilliant idea.
7 Likes
as what VA will request is pretty much same (ignoreing pqdn length and redirects), Can't we just attach a traffic monitor in front of VA and see how much GB VA request on port 80 to see ballpark number on ipv4/ipv6 address server publish on network?
5 Likes
Could check the database as well, the addressUsed will be contained within the validationRecord for each authorization.
7 Likes
Well, seeing as 80% of HTTP-01 validation attempts fail, I think you might want to somehow limit it to only successful attempts, or else your results would be skewed by servers that are trying to get certificates but aren't actually set up for users to see anymore.
6 Likes
It could turn out the amount of failed requests over IPv6 is significantly lower since NAT is removed from the equation. Eg port forwarding issues.
Would be interesting to compare failed HTTP-01 IPv6 validations vs IPv4.
3 Likes
I'm liking the thinking here!
It would answer the question: Are IPv6 users smarter then IPv4 users?
LOL
5 Likes
The stats page is generated via a somewhat brittle script that parses log files right now, so we’re unlikely to change it until we’ve got a better data pipeline set up.
IPv6 adoption isn’t something Lets Encrypt is focused on so it probably doesn’t make sense for us to include in our top line statistics.
8 Likes
To clarify, is your answer, "it's been added to the backlog but won't likely be implemented anytime soon" or "this is not something that let's encrypt isn't interesting in implementing"?
Thanks
6 Likes
I think it's latter like why not publishing what webserver LE sees in http-01: it would be interesting but out-of focus
5 Likes
It's not something that's going to make it onto our stats page at least in its current incarnation.
I did a tiny bit of log scraping and aggregation to get some IPv6 stats. This is only the last 3 days worth of data, and had a few processing shortcuts that means it may not be completely complete. This is only looking at HTTP-01 and TLS-ALPN-01 challenges, and doesn't look at what protocol DNS was done with.
Currently approximately 17% of our validations are over IPv6.
The success rate for IPv6 is 15%. The success rate for IPv4 is 24%.
So at least in this somewhat simple sample, IPv6 has notably lower success rates.
10 Likes
Thanks for digging into it!
Yeah, I suspect that a lot of the what I'll call "reluctant administrators" who don't really want to "run a server" but end up doing so for one reason or another don't know how to check that their site is running properly over both IPv4 & IPv6.
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.