The intention was to have the Validation Authority of the CA try IPv6 first if there is an AAAA record, and fall back to IPv4 if the AAAA record timed out or failed. There is a known issue right now (HTTP-01 IPv6 to IPv4 fallback not working properly · Issue #2770 · letsencrypt/boulder · GitHub) where it appears the initial IPv6 request may use the full VA timeout preventing the IPv4 fallback from happening.
Why is the user unable to provision a challenge response server on the IPv6 address?
Remember that lots of mobile providers have enabled IPv6 these days. I’ll end up getting 404s on LTE but not on WiFi if their server is configured this way. It doesn’t just break Let’s Encrypt!
Yes, I almost agree with you. but there is no reason, they just have AAAA record on the domain.
In the current Internet world, ipv6 is not so widely used.
No matter by mistake or in purpose, they have a ipv6 on the domain, it’s better if the validation can pass smoothly on either ipv6 or ipv4.
In memory, the ACME protocol doesn’t specify whether to use ipv4 or ipv6. As long as a user can prove the domain(no matter on ipv4 or ipv6), he should be able to request a cert.
Seems like an easy fix then They can remove the AAAA record they have without reason and it will work.
I think there's work to be done on improving the IPv4 fallback to help with this situation but overall I'm not supportive of a mode that allows you to specify whether the validation is done over IPv4 or IPv6 - the user already has full control of that by means of their DNS. If you 100% only want validation to be done with IPv4, don't advertise an IPv6 address. Working around this at a protocol level is the wrong answer.