Good day! During testing of my setup with different tools available on the internet, I mostly got good ratings. There is a specific tool however (which is loaded with a ton of checks for diverse best-practices and recommendations) where my setup is shown as complete failure. =) I am talking about https://check-your-website.server-daten.de/
Here, my DNS-servers (provided by deSEC) are the culprit for failing, as they don’t work via TCP. I was wondering why this could be such a problem, if the setup validates with all other tests I found.
I wrote to the developer, who informed me that TCP is an IANA-Requirement:
You’re right. After some digging (pun intended) in the report of the tool it seems that it complains about the NS get.desec.io, which is for me reachable via TCP as well. But I can only test IPv4. The tool complains it’s not reachable via its IPv6 adress.
I don’t know. Perhaps it’s just an academic problem, as it’s working in the real world for all of us. But perhaps you are interested in the finding. I’ll ignore the outcome with this test-suite for now.
dig -6 @ns1.desec.io +tcp fails as does dig -6 @get.desec.io +tcp but dig -6 @ns2.desec.org +tcp works for me. That would seem to be a bug, i.e. all servers should respond to port 53 tcp on IPv4 and IPv6 I think.
$ host ns1.desec.io
ns1.desec.io has address 45.54.76.1
ns1.desec.io has IPv6 address 2607:f740:e633:deec::2
$ host ns2.desec.org
ns2.desec.org has address 157.53.224.1
ns2.desec.org has IPv6 address 2607:f740:e00a:deec::2
$ host get.desec.io
get.desec.io has address 88.99.64.5
get.desec.io has IPv6 address 2a01:4f8:10a:1044:deec:642:ac10:80
$