I fixed it (and Netflix) by turning off IPv6 for all my users... but any chance this is a path MTU issue causing the apparent hang?
Matthew Kaufman On Wed, Nov 16, 2016 at 12:26 PM Mark Andrews <ma...@isc.org> wrote: > > In message <1479249003.3937.6.ca...@ns.five-ten-sg.com>, Carl Byington > writes > : > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Following up on a two year old thread, one of my clients just hit this > > problem. The failure is not that www.pay.gov is not reachable over ipv6 > > (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443 > > connection, but the connection then hangs waiting for the TLS handshake. > > > > openssl s_client -connect www.pay.gov:443 > > > > openssl s_client -servername www.pay.gov -connect 199.169.192.21:443 > > > > Browsers (at least firefox) see that as a very slow site, and it does > > not trigger their happy eyeballs fast failover to ipv4. > > Happy eyeballs is about making the connection not whether TCP > connections work after the initial packet exchange. > > I would send a physical letter to the relevent Inspector General > requesting that they ensure all web sites under their juristiction > that are supposed to be reachable from the public net get audited > regularly to ensure that IPv6 connections work from public IP space. > > While you are sending the letter can you also ask why pay.gov's DNS > servers are broken. > > Checking: 'pay.gov' as at 2016-11-16T20:21:28Z > > pay.gov @199.169.194.28 (ns1.twai.gov.): edns=ok edns1=timeout edns@512=noopt > ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok > optlist=ok > pay.gov @2605:3100:fffc:100::7 (ns1.twai.gov.): edns=ok edns1=timeout > edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok > edns@512tcp=ok optlist=ok > pay.gov @199.169.192.28 (ns2.twai.gov.): edns=ok edns1=timeout edns@512=noopt > ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok > optlist=ok > pay.gov @2605:3100:fffd:100::7 (ns2.twai.gov.): edns=ok edns1=timeout > edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok > edns@512tcp=ok optlist=ok > > Mark > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.14 (GNU/Linux) > > > > iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA > > LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC > > =MS8j > > -----END PGP SIGNATURE----- > > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
