Ipv6 again. Give more priority to ipv4

krioz · May 8, 2019, 1:15pm

Hi. maybe in 2019 you will give more priority to ipv4 and not ipv6 ? Countless topics about this problem and with 99% ipv4 servers and 1% ipv4 + ipv6 you decided ipv6 ? where is logic ?

SilverbackNet · May 8, 2019, 1:33pm

If you have a specific technical issue or request, please put in the details and people can help you, otherwise vague rants aren’t useful to anyone.

krioz · May 8, 2019, 1:41pm

people during 2 years asking you to give ipv4 more priority, isn’t it an issue ?

JuergenAuer · May 8, 2019, 1:53pm

Hi @krioz

I don't think and I don't hope Letsencrypt switches back to ipv4.

Ipv6 has a lot of additional features.

So if a domain has ipv6 AAAA entries, ipv6 should work.

If not, it's a good indicator that something is wrong. Perhaps the ip address is spoofed.

Ipv6 with DNSSEC is amazing

PS: Only ipv4 is supported. So there is no problem.

cpu · May 8, 2019, 1:55pm

Hi @krioz,

This is an issue fully in your own control: you can remove the AAAA records in your DNS zone and no IPv6 connections will be made. By advertising an AAAA record you are inviting connections to your domain over IPv6.

tdelmas · May 8, 2019, 2:29pm

Please correct me if I’m wrong, but prioritizing ip6 over ipv4 help to discover problems with ipv6, that some of your visitors already experience, or do you have a more specific argument?

BenSjoberg · May 8, 2019, 2:34pm

I think your priorities here are wrong. If a site has an AAAA record, but isn’t reachable over IPv6, then the site’s configuration is broken. The site operator should fix this, either by fixing IPv6 connectivity or removing the AAAA record.

Preferring IPv6 over IPv4, when both the server and the client support it, is standard practice. Almost every application and operating system behaves this way. Let’s Encrypt is just a canary in the coal mine: if it’s having trouble reaching you over IPv6, it’s probably not the only IPv6 related problem you’re having, it’s just the one you’ve noticed.

krioz · May 10, 2019, 8:01am

When you have 1-2 domains it’s not an issue, but when you have thousands of domains and from different providers(sometimes with wrong ipv6 configuration) and it’s not a day or two to solve problem, then it would be nice if there are an options ‘check over ipv4’, so you can use it for problem domains

JuergenAuer · May 10, 2019, 8:57am

If you have a not working ipv6 configuration, you should remove the dns-AAAA entry or fix it.

There is a growing number of users with ipv6. They may have timeouts or can's see the site.

Check

https://www.google.com/intl/en/ipv6/statistics.html

USA has 33 % ipv6 traffic, Germany has 42 % (cable providers use ipv6 and DS Lite (no explicit ipv4), Telecom and others switch to ipv6 + ipv4 if ISDN is removed).

Conclusion: Such a switch will not come, you have to find other solutions.

krioz · May 10, 2019, 10:40am

You are working with certificates and saying about traffic amount ? not number of domains ?
If you are using only most popular sites such as google, youtube, facebook with ipv6 support, then it means 100% ipv6 traffic ? what about real statistic ? Here https://www.apnic.net/community/ipv6-program/data/ you can find statistic(https://bgp.he.net/ipv6-progress-report.cgi/) for May 2019 about *.com(for example) domains, where among 139809442 domains 89.5 % has ipv4 and 5.5% has ipv6.

SilverbackNet · May 10, 2019, 10:52am

Multiple people have told you to remove your AAAA record to resolve your IPv6 problems, since AAAA indicates that you fully support IPv6… and obviously you don’t. Why won’t you try that quick and simple step?

krioz · May 10, 2019, 11:01am

maybe coz this ? Ipv6 again. Give more priority to ipv4 . And I’m not asking about "how to solve this proble’ coz i know it myself. I’m asking about logic behind this action because in percentage ipv4 more actual

cpu · May 10, 2019, 12:58pm

I think there’s a difference in opinions here unlikely to be resolved with further discussion.

We can not support the partial solution you’re recommending (an inversion of protocol preference) and continue to recommend that domains without functional IPv6 connectivity do not advertise an IPv6 address in DNS. Resolving the problem in any other way than fixing the IPv6 connectivity or removing the AAAA record is a partial band-aid that addresses only one symptom (Let’s Encrypt certificate issuance) and not the many other problems you will encounter from advertising broken IPv6. Our current behaviour w.r.t IPv6/IPv4 is common best practice and has not been an issue for millions of other subscribers.

I’m going to close this thread since there aren’t any directions to continue this discussion. If you have other questions on a topic other than IPv6 and IPv4 priority please feel free to open a new thread.

Thanks everyone,

Topic		Replies	Views
Server with IPv6 AAAA record only Help	21	6790	April 10, 2021
Does Let's Encrypt require IPv6 and forbid IPv4? [no] Help	13	11790	August 21, 2017
Oak.ct.letsencrypt.org is misconfigured Site Feedback	8	346	September 2, 2024
Lets Encrypt trouble with ipV6 clients Help	5	514	March 5, 2024
Need fallback to IPv4 when host is unreachable over IPv6 Feature Requests	5	2273	May 27, 2020

Ipv6 again. Give more priority to ipv4

Related topics