The lovely new CT logs currently only support IPv4:
oak.ct.letsencrypt.org. 59 A 3.14.209.140
oak.ct.letsencrypt.org. 59 A 3.18.34.253
oak.ct.letsencrypt.org. 59 A 18.218.204.248
testflume.ct.letsencrypt.org. 59 A 34.212.84.189
testflume.ct.letsencrypt.org. 59 A 35.163.216.244
testflume.ct.letsencrypt.org. 59 A 52.43.227.29
Can you add IPv6 support?
Iām only asking because I always promote IPv6, and everything else you run is dual-stack. I donāt have any sort of specific problem.
Assuming theyāre running on ELBs, it should be as simple as adding AAAAALIAS records, and/or switching to the dualstack ELB hostnames. (Iām kind of guessing, since Iāve never done it.) Enabling IPv6 should reduce your Route 53 bills, since ALIAS responses are free but NODATA responses are charged.
Of course, enabling things is simpler than solving other issues like monitoring or software support.
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2620:108:700f::22d4:54bd]:80
I thought I had all of the IPv6 configuration in our AWS VPCs sussed out. Turns out that I missed assigning IPv6 routes to the routing table. Thatās been fixed in our terraform config.
A change was made to an ELB security group to allow IPv6 communication. Kubernetes should have done this automatically, but didnāt. I found the following upstream issue that might address this in the future. https://github.com/kubernetes/kubernetes/issues/77745
After much trial and error with our environment, we have decided to postpone deploying IPv6 to the Testflume and Oak logs. Our plan is to wait for the Kubernetes and AWS ecosystem to mature. Thank you for your patience with me on this one.
For others who may undertake this adventure on their own AWS based CT Logs hopefully this research will help.
Type: ELB (classic Elastic Load Balancer)
Protocol support: IPv4, IPv6 only in EC2-Classic. We use EC2-VPC which means no IPv6 support on the ELB
OSI: Layer 4
TLS Termination: Offered, but not mandatory. Termination can be done at the webserver.
Viability: No
Docs: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internet-facing-load-balancers.html
Type: ALB (Application Load Balancer)
Protocol support: IPv4, IPv6
OSI: Layer 7
TLS Termination: Mandatory. Can use either the Amazon Certificate Manager or upload a certificate to the Amazon Identity Store. No existing ingress supports uploading arbitrary certificates to the Identity Store meaning we would have to build our own solution or use an Amazon issued certificates on our logs.
Viability: Maybe
Docs: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#ip-address-type
Type: NLB (Network Load Balancer)
Protocol support: IPv4
OSI: Layer 4
TLS Termination: Offered, but not mandatory. Termination can be done at the webserver.
Viability: No
Docs: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html