We were asked on Twitter to add a page describing exactly how to get 10/10 on our IPv6 domain readiness checker, so here it is.
1. Add an IPv6 address to your web server
The first step is to get your web server listening on an IPv6 address, as well as an IPv4 address. How you achieve this will depend on how your web server is managed. If you’re on a shared hosting account, you’ll be dependent on your hosting provider. If you run your own server, you’ll need to obtain an IPv6 address from your hosting provider (assuming they support IPv6), configure your server to use it and then ensure that your web server (e.g. Apache is listening on this address).
If you’re using a standard Mythic Beasts hosting account, this step is already done for you. If you’re using a sphinx shell account, please contact support.
2. Add an AAAA record for your website
AAAA records are the IPv6 equivalent of A records, which resolve hostnames to IP addresses. In order for users to find your website over IPv6, you will need to add an AAAA record for www.yourdomain.com pointing to the IPv6 address configured above. You can check that this is in place using the dig command:
$ dig +short A www.mythic-beasts.com
$ dig +short AAAA www.mythic-beasts.com
It’s possible that your existing “www” record will be a CNAME for another hostname, in which case you should add the AAAA record to that hostname, rather than the “www” record.
If you’re using a Mythic Beasts hosting account, then provided that you are using the standard template for your account in the DNS configuration for your domain, then this step will already be done for you.
Our health checker will skip this test if your domain doesn’t have an A record for “www”.
3. Add an AAAA record for your bare domain
Most websites are configured to work if the user omits the “www” prefix from the name, for example http://mythic-beasts.com
In order for this to work, you will need an A record for your domain name itself, and to be IPv6-enabled, you’ll also need a corresponding AAAA record.
Once again, our checker will skip this test if the bare domain doesn’t have an A record.
4. Ensure your DNS servers have IPv6 addresses
The steps above make it possible to access your website over IPv6, but unless your DNS servers are accessible over IPv6, users (or more specifically, their DNS resolvers) will still need to use IPv4 in order to find your site in the first place. To avoid this, you need to ensure that your nameservers have IPv6 addresses.
You can find the nameservers for your domain using “whois”, and you can check whether the servers have IPv6 addresses using dig, as before:
$ whois mythic-beasts.com
[ ... ]
Name Server: NS0.BEASTS.ORG
Name Server: NS3.MYTHIC-BEASTS.COM
Name Server: NS2.MYTHIC-BEASTS.COM
Name Server: NS0.MYTHIC-BEASTS.COM
Name Server: NS1.MYTHIC-BEASTS.COM
[ ... ]
$ dig +short AAAA ns1.mythic-beasts.com
If your nameservers do not have IPv6 addresses, then unless you run your own nameservers, you’ll either need to persuade your hosting provider to enable IPv6, or switch your DNS provider to a different provider.
Mythic Beasts customers should be using ns1 and ns2.mythic-beasts.com, and both of these nameservers have IPv6 addresses, and IPv6 glue (see below).
For a full pass, our health checker requires that at least two of your servers have IPv6 addresses.
5. Add IPv6 glue for your nameservers, if necessary
In order to find the address for your website, a DNS resolver will first need to find the address of your nameservers. If your nameservers are in your own domain, this creates a bootstrapping problem. For example, in order to find the address for ns1.mythic-beasts.com, you need to ask the nameservers for mythic-beasts.com, which includes ns1.mythic-beasts.com. The solution to this is a glue record, a record containing the address of your nameserver which is held by the nameserver for the next zone up. In this case, the next zone up is .com, so the .com nameservers would contain glue records for the ns*.mythic-beasts.com nameservers.
If a nameserver has an IPv6 address, then any glue records for it should also contain that IPv6 address.
Checking for glue records is a little bit involved. The quickest way to do it is to use “dig +trace” to find a nameserver for the next zone up:
$ dig +trace ns1.mythic-beasts.com
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
We can now ask any of those servers for the NS records for our domain. Any glue records that exist will be returned in the “additional” section of the response:
$ $ dig NS mythic-beasts.com @a.gtld-servers.net.
;; ADDITIONAL SECTION:
ns1.mythic-beasts.com. 172800 IN AAAA 2600:3c00::f03c:91ff:fe96:beac
ns1.mythic-beasts.com. 172800 IN A 220.127.116.11
ns2.mythic-beasts.com. 172800 IN AAAA 2a00:1098:0:80:1000::10
ns2.mythic-beasts.com. 172800 IN A 18.104.22.168
If your servers are missing glue records, you will need to get your domain registrar to add them.
It’s worth noting that even if you don’t directly require glue because your nameservers are in a different zone, at some point along the chain there will be a nameserver that does require glue.
For a full pass, our glue checker requires at least two nameservers to be discoverable by a single-stack IPv6 resolver at every step of the chain of delegation.
6. Add IPv6 addresses for your incoming mail servers
In order to receive mail over IPv6, at least some of the mail servers listed in the MX records for your domain must have IPv6 addresses. You can find the mail servers for your domain using dig:
$ dig +short MX mythic-beasts.com
You can then check that these servers have IPv6 address by using dig to resolve an AAAA record, as before.
Once again, if you’re using a Mythic Beasts hosting account using the standard DNS template for your account type, this will be done for you.
In order to pass this test, at least one of the servers listed in your MX records must have an IPv6 address.
7. Add reverse DNS for your mail servers’ IPv6 address
It is generally advisable to have working reverse DNS for any addresses from which you send outgoing mail. In the case of IPv6, this becomes pretty much essential, as one of the biggest mail providers in the world, Google, will reject mail over IPv6 unless the sending server has working reverse DNS for its IPv6 address.
Unless you run your own mail servers, adding support for IPv6 will be down to your mail provider.
Unfortunately, there is no reliable way to obtain the outgoing mail servers that are used for a particular domain, so instead our health check makes a bold assumption that your outgoing servers are the same as the incoming servers listed in your MX records, and checks those. This assumption is certainly not true of all domains, which is why a failure of this test is only treated as a warning.
8. Check your SPF records
SPF (Sender Policy Framework) is a mechanism for publicly listing your outgoing mail servers, so that receivers can detect spoofed email sent from other servers. If you enable your outgoing mail servers to start sending mail over IPv6, and you have an existing SPF record, it is important that you make sure that it includes the IPv6 addresses for your mailservers.
There are various ways of doing this. If your incoming and outgoing mail servers are the same, then you can use the “mx” mechanism in your SPF record. This means that any hosts listed in the MX records for your domains will be regarded as a legitimate source of mail for your domain, and this will automatically include any IPv6 addresses (assuming you’ve done step 6).
If you list IPv4 addresses or address ranges in your SPF record explicitly, then you will need to add corresponding IPv6 addresses for those servers.
The rules applied by our health checker aren’t entirely trivial, as it’s not uncommon for legitimate third party servers to be included in a domain’s SPF record, and there’s no way of pairing up IPv6 addresses with their IPv4 counter parts. Our health checker applies some very broad rules: if you use the “mx” mechanism, then the checker requires at least one IPv6 address for a server listed in the relevant MX records. If there are any explicit “ip4″ addresses or ranges specified in the record, then the health checker expects to find at least one explicit “ip6″ mechanism.
If your domain does not list an SPF record then this test will pass automatically, as this effectively defaults to “accept from all”.
These rules aren’t watertight, but have proven to be quite effective in identifying mail sources that either haven’t been enabled by IPv6, or which have but haven’t been added to the SPF record.
Hopefully this gives some insight into exactly what our domain tester is looking for, and how to comply with it. Customers who are having trouble getting 10/10 should email support. We’re also always very happy to hear any feedback on the health check, particularly suggestions for additional tests that we should be running.