This American Registry for Internet Numbers (ARIN) web page provides guidelines to help ensure successful introduction of AAAA records and IPv6 support into your DNS infrastructure.
This report prepared June, 2020, details the Domain Name System (DNS) IPv6-only support status of United States government and military domains.
Here’s the current status of IPv6 DNS from top to bottom:
. (root) - All 13 root servers in .root-servers.net allow native IPv6 queries. G is on the Sensitive but Unclassified Internet Protocol Data (SBU IP Data) service, formerly known as NIPRNet. H is on the Defense Research and Engineering Network (DREN). AAAA records deployment in the root hints file began on 4 February 2008. For a current list of the root servers' IPv6 addresses, see www.root-servers.org.
*. - There are almost 1600 Top-Level Domains (TLDs) around the world. Over 98% of them have AAAA records in the DNS root server zone files, and are reachable via IPv6. Most of them are foreign countries, but COM, EDU, GOV, INFO, NET, and ORG are among them. This Hurricane Electric web page provides status reports for over 1200 generic TLDs (gTLDs) around the world. For up-to-date status of all TLDs, look at the Global IPv6 Deployment Progress Report also maintained by Hurricane Electric.
com - All thirteen .com name servers support native IPv6 queries and have AAAA records.
edu - All thirteen .edu name servers supports native IPv6 queries and have AAAA records.
gov - All four .gov name servers support native IPv6 queries and have AAAA records.
info - All six .info name servers support native IPv6 queries and have AAAA records.
mil - All six .mil name servers support native IPv6 queries and have AAAA records.
*.army.mil - As of April, 2008, the Army's DNS architecture was updated to support AAAA records. AAAA records may be added by special request to the Army 2nd Regional Cyber Center (2RCC) DNS team.
net - same name servers as .com.
org – All six .org name servers support native IPv6 queries and have AAAA records.
arpa – all twelve name servers (A thru I and K thru M, while J is not an authoritative name server for .arpa) have AAAA records. 11 of the 12 name servers support native IPv6 queries (C does not). See Internet Engineering Task Force (IETF) Best Current Practices (BCP 155) also known as Request for Comments (RFC) 5855 Nameservers for IPv4 and IPv6 Reverse Zones.
in-addr.arpa - same as arpa.
ip6.arpa - this zone has been delegated to five non-root name servers (ns2.lacnic.net, sec1.apnic.net, ns-sec.ripe.net, tinnie.arin.net, and ns.icann.org) per the IETF in Appendix A of RFC 5855. All five name servers allow native IPv6 queries and have AAAA records.
NOTE for implementers: The DNS entries to use with IPv6 are AAAA and IP6.ARPA. The other candidates (A6 and IP6.INT) have been deprecated, A6 by RFC 6563 in 2012 and IP6.INT by RFC 4159 in 2005.
Since Internet Protocol version 6 (IPv6) addresses are so long, creating the .IP6.ARPA reverse lookup PTR records can be tedious. Fortunately, there are several ways of automating this task.
If the AAAA record for a domain name has not yet been entered in any Domain Name Service server, the venerable nslookup command built-in to most operating systems can be used to display the reverse address, as in
nslookup 2001:480:430:dddd::246:9
… (usual command sign-on remarks) …
** server can’t find 9.0.0.0.6.4.2.0.0.0.0.0.0.0.0.0.d.d.d.d.0.3.4.0.0.8.4.0.1.0.0.2.ip6.arpa:NXDOMAIN
This works in most versions of Linux and Unix, including the Apple macOS and OS X, but it won’t work in Microsoft Windows. If nslookup has been deprecated on your system, the successor host command can often be used instead.
Tools to generate IPv6.ARPA PTR records, or even build a Berkeley Internet Name Daemon (BIND) reverse Domain Name System (rDNS) Zone record, are available on the Reverse DNS v6 website.
The ipv6calc tool is available for many versions of Linux. It is a utility written in the C programming language and can do a variety of address manipulations.
Simple tools written in both perl and php are also available (originally developed by DREN personnel).
This perl script can be used:
#!/bin/perl
if ( $#ARGV == -1 ) {
$address = ;
chomp $address;
} else {
$address = $ARGV[0];
}
$pos = index($address, “::”);
if ($pos >= 0) {
for ($i=0; $i < length $address; $i++) {
if (substr($address, $i, 1) eq ":") {
$numcolons++;
}
}
$expansion = ":" . "0:" x (8 - $numcolons);
$address =~ s/::/$expansion/;
print "Expanded address: $address\n";
print "\n";
}
@octets = split ':', $address;
$octets[0] = reverse($octets[0]);
$octets[1] = reverse($octets[1]);
$octets[2] = reverse($octets[2]);
$octets[3] = reverse($octets[3]);
$octets[4] = reverse($octets[4]);
$octets[5] = reverse($octets[5]);
$octets[6] = reverse($octets[6]);
$octets[7] = reverse($octets[7]);
for ($i=7; $i>=3; $i--) {
for ($j=0; $j<4; $j++) {
$char = substr($octets[$i], $j, 1);
if ($char eq “”) {
print “0″;
} else {
print “$char”;
}
print “.”;
}
}
print “\b/48\n”;
print “\n”;
for ($i=7; $i>=0; $i--) {
for ($j=0; $j<4; $j++) {
$char = substr($octets[$i], $j, 1);
if ($char eq “”) {
print “0″;
} else {
print “$char”;
}
print “.”;
}
}
print “/128\n”;
and this php class can be used:
class dnsManipulation {
public $hostname;
public $ipv4;
public $ipv6;
public function __construct($hostname='',$ipv4='',$ipv6=''){
$this->hostname=$hostname;
$this->ipv4=$ipv4;
$this->ipv6=$ipv6;
$this->ptr=$this->ipv6Ptr();
}
private function ipv6Ptr() {
$arr=explode(':',$this->ipv6);
array_shift($arr);
array_shift($arr);
array_shift($arr);
$ip=implode('',$arr);
$arr2=array_reverse(str_split($ip,1));
$ptr=implode('.',$arr2);
return $ptr;
}
function getPtrRecord() {
$this->ipv6Ptr();
$str=$this->ptr." IN PTR ".$this->hostname;
return $str;
}
function getAAAARecord() {
$str=$this->hostname . " IN AAAA ".$this->ipv6;
return $str;
}
}
On version 2.2 and later of the Postfix SMTP Server, Internet Protocol version 6 (IPv6) support is built in, and the configuration options are described here. An example of how to configure Postfix in conjunction with other open source software including DoveCot, MySQL, and PostFix is available here.
Sites running a Postfix version 2.2 (or later) mail transfer agent (MTA): You must include
the following line in your /etc/postfix/main.cf:
inet_protocols = ipv4
Without this line Postfix defaults to using IPv6 for mail delivery, and when that fails Postfix
will stop trying. Postfix will not use IPv4 without it.
For all versions of Postfix, complete the applicable steps described in this Get Your Site Ready for IPv6 article for the host computer your Postfix server is installed on. (That article was written for a web server, but the DNS-related steps also apply to Postfix servers.)
Links
Postfix
Homepage: http://www.postfix.org
Postfix TLS/IPv6 Patches
Homepage: http://www.ipnet6.org/postfix/
While it is NOT recommended practice for versions prior to 2.2, the steps for setting up IPv6 support in version 2.0.18 included:
1) wget http://www.ipnet6.org/postfix/download/postfix-2.0.18.tar.gz
2) wget http://www.ipnet6.org/postfix/download/tls+ipv6-1.21-pf-2.0.18.patch.gz
3) tar xfz postfix-2.0.18.tar.gz
4) gunzip tls+ipv6-1.21-pf-2.0.18.patch.gz
5) patch -p0 < ./tls+ipv6-1.21-pf-2.0.18.patch
6) make tidy; make makefiles; make
7) review the make and perform a make install.
The Postfix install will listen on all IPv4 and IPv6 addresses if you have the following directive enabled in main.cf:
inet_interfaces = all
Make sure to add allowed appropriate v6 relay networks to the mynetworks statement or the network_table.
Example syntax for mynetworks would be:
[::1]/128 [2001:480:2b0::]/48
Example syntax for a network_table would be:
[::1]/128 OK
[2001:480:2b0::]/48 OK
Nginx (some call it “EngineX”) is widely used as a web server, but it can also be configured as a reverse proxy, load balancer, mail proxy or HTTP cache server. The scope of this article is limited to the use of Nginx as a web server.
The Nginx software package has supported Internet Protocol version 6 (IPv6) since at least 2010, although IPv6 support is not enabled by default. The authoritative source for Nginx Open Source Software (OSS) is nginx.org and for Nginx PLUS (the commercial product) the authoritative source is Nginx, Inc.
To use Nginx OSS as a web server supporting IPv6, the first step is to complete the 8 steps described in this Get Your Site Ready for IPv6 article for the host computer your Nginx web server is or will be installed on.
Next, to install Nginx under various Linux/Unix operating systems follow the directions given in this Nginx: Configure and Install With IPv6 Networking Support Enabled web page. A more detailed set of directions with configuration options for additional operating systems and some cloud environments can be found on the Nginx. Inc. website here. It is also possible to install Nginx OSS in a Microsoft Windows environment (Caution: There are known issues in this environment).
After completing the installation, scan the FEATURED ARTICLES list in the right hand column of the Nginx: Configure and Install With IPv6 Networking Support Enabled web page to see if any of them are relevant to your planned use of Nginx OSS. For example:
How to enable gzip compression in nginx server
or
Top 25 Nginx Web Server Best Security Practices.
Advanced configuration features of Nginx OSS are documented on the Nginx. Inc. website docs.nginx.com. To review these features, on that website enter “open source” in the Search all documentation box, click on the search icon (
), and then scan the search results for relevant features. Many (but not all) of the articles returned by the search will contain “open source” or “Open Source” in the title. If a feature of interest does not indicate “open source” or “Open Source” in the title, view the article anyway. The feature may be available for Nginx OSS even though the title does not explicitly indicate that is the case.
Also, a web search using any web search engine may reveal additional configuration changes you might want to consider, such as
Dual-Stack Configuration of IPv4 and IPv6,
However, be careful! You will want to verify that any configuration changes your web search reveals specifically apply to Nginx OSS. The Dual-Stack Configuration of IPv4 and IPv6 configuration change above, for example, is only available for Nginx PLUS installations.
The Apache web server has had Internet Protocol version 6 (IPv6) support built in and enabled by default since 2002 (with the release of version 2.0.43). The authoritative source for Apache Web Server is the Apache HTTP Server Project, which does not explicitly address many IPv6 topics. It does address Special IPv6 Considerations for mapping IPv4 and IPv6 addresses.
Complete the 8 steps described in this Get Your Site Ready for IPv6 article for the host computer your Apache web server is or will be installed on.
The configuration information shown below is from the Linux IPv6 HOWTO (en) website. While old, it is still useful. Additional old articles about Apache web server IPv6 configuration for Linux and virtual hosts are available here.
3. Webserver Apache2 (httpd2)
Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at KAME/Misc.
3.1. Listening on IPv6 addresses
Note: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first because earlier versions had some security issues.
3.1.1. Virtual host listen on an IPv6 address only
Listen [2001:0db8:100::1]:80
<VirtualHost [2001:0db8:100::1]:80>
ServerName ipv6only.yourdomain.yourtopleveldomain # ...sure more config lines
</VirtualHost>
3.1.2. Virtual host listen on an IPv6 and on an IPv4 address
Listen [2001:0db8:100::2]:80
Listen 1.2.3.4:80
<VirtualHost [2001:0db8:100::2]:80 1.2.3.4:80>
ServerName ipv6andipv4.yourdomain.yourtopleveldomain
# ...sure more config lines
</VirtualHost>
This should result after restart in e.g.
# netstat -lnptu |grep "httpd2\W*$" tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 12345/httpd2
tcp 0 0 2001:0db8:100::1:80 :::* LISTEN 12345/httpd2
tcp 0 0 2001:0db8:100::2:80 :::* LISTEN 12345/httpd2
For simple tests use the telnet example already shown.
3.1.3. Additional notes
· Apache2 supports a method called “sendfile” to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable “sendfile” either by recompiling using configure option “--without-sendfile” or by using the "EnableSendfile off" directive in configuration file.
