Measuring IPv6 deployment on Indian Govt websites

isp-Column

India has done well on IPv6 deployment thanks to Jio taking the lead in 2016, along with Airtel & VI aggressively catching up. Many of us in the industry are very proud of the work done by these players, resulting in over 78% deployment of IPv6 when measured by APNIC / Google, etc. Jio and Airtel numbers are as high as 95% IPv6 preferred at this point in time.

But that’s one part of the Indian metrics. IPv6 deployment, DNSSEC usage or even Internet Exchange peering - one can find very different metrics depending on how one is measuring. Both APNIC & Google rely on Google’s network and judge how (largely mobile) end users across India are connecting to their (IPv6-enabled) services, and this gives the “eyeballs” side of specs.

One key element missing in the picture is IPv6 support on the Government of India websites. I am using “Govt. of India” loosely here. I mean the Central Govt, state governments, as well as UTs and any of their departments. I have always felt that deployment is very poor, as randomly looking across the critical government websites. The service either shows no DNS AAAA record or may have a AAAA record but does not respond to port 80/443, giving an idea of a broken deployment.

Measuring deployment is hard since (as far as I know) there is no authoritative source of government domains. Likely NIXI or ERNET, etc. may hold them but then getting them may be a long process and may not work at all. Then I thought of certificate transparency logs. Most of the CAs would log TLS certificates issued in public logs. One can read these logs for *.gov.in and *.nic.in to get a list of all government. used domains under those well-known TLDs and the ones which took a TLS certificate. I did some extra checks, like verifying the A record, working website on IPv4, before looking for IPv6. That way I remove all non-existent/old/expired websites. Also, looked for and www. in some cases as TLS may be issued for both. In case of wildcard TLS certificates like *..gov.in, I looked at .gov.in again to see if the website exists on IPv4 and if yes, explored IPv6 deployment on it.


Result

  • There are 3068 visible domains under *.gov.in (with TLS) with a working website IPv4.
  • Out of these 3068, only 140 have working IPv6 on the web, i.e., an IPv6 endpoint is successfully serving the website.
  • There are 1856 domains under *.nic.in (with TLS) with a working website on IPv4.
  • Out of these 1856, only 34 have working IPv6 on the web
  • Majority of websites with working IPv6 are on either Cloudflare, Akamai or Amazon AWS.

Thus, out of the total websites (4924), only 174 i.e 3.5% seems to have IPv6 deployed. There are also 13 websites which have DNS AAAA record pointing these domains to an IPv6 address but they don’t reply on port 443 when queried over IPv6.


Sites’s with broken IPv6 deployment:

  • meity.gov.in
  • accounting.sthreenidhi.ap.gov.in
  • dgma.gov.in
  • digitalgujarat.gov.in
  • lms.istart.rajasthan.gov.in
  • sampada-mofpi.gov.in
  • serp.ap.gov.in
  • sthreenidhi.ap.gov.in
  • wdra.gov.in
  • www.aistic.gov.in
  • www.statedrugs.gov.in
  • mpforest.gov.in
  • wdra.gov.in

Raw data: Raw CSV for the lookup is here for *.gov.in and here for *.nic.in.