Hacker News new | ask | show | jobs
by adventureloop 4506 days ago
Okay so the domain my site is run off gets 0 of 5 stars. I know my VPS provider has ipv6 support, so how do I close the gap?
3 comments
alepper 4506 days ago
Looks like: IPv6 addresses for NS (nameserver) and MX (mail exchange) records, and root and www subdomain. Looks to check DNS responds to queries over IPv6, too. Easy mode to get at least four stars: enable IPv6 with a free Cloudflare account.
link
justincormack 4506 days ago
If your VPS provider has it, usually you need to set up the given static address (from a /64), there won't usually be any autoconfig. Sometimes you have to turn it on per VPS in some management settings.
link
simon_vetter 4506 days ago
1) make sure your services listen on ipv6 and configure them accordingly if they don't. Watch out for things like virtual hosts and TLS configuration.

2) Add firewall rules to allow inbound traffic over ipv6 if they don't already exist. If using ufw (default in ubuntu), check that `ufw status` lists entries for ipv6.

  # ufw status
  Status: active
  
  To                         Action      From
  --                         ------      ----
  OpenSSH                    ALLOW       Anywhere
  80/tcp                     ALLOW       Anywhere
  443/tcp                    ALLOW       Anywhere
  OpenSSH (v6)               ALLOW       Anywhere (v6)
  80/tcp                     ALLOW       Anywhere (v6)
  443/tcp                    ALLOW       Anywhere (v6)
Allowing inbound https connections over both ipv6 and ipv4 is as easy as typing

  ufw allow 443/tcp
If you're managing your firewall rules by hand, do NOT block icmpv6 as it will break connectivity.

3) add a AAAA record pointing to your vps' ipv6 address to any domain name pointing at your vps. To find that address, use a command like

  ip -6 address | grep global
on your vps.

Make sure the TTL of your AAAA records matches that of your A records.

If you're hosting your own mail server, make sure your MX records point to host names returning ipv6 addresses. If using SPF, you'll need to add ipv6 addresses to your records as well.

4) Check that your DNS records return both ipv6 and ipv4 addresses, i.e. host should return something like:

  $ host www.rackspace.com
  www.rackspace.com is an alias for www.wip.rackspace.com.
  www.wip.rackspace.com has address 173.203.44.116
  www.wip.rackspace.com has IPv6 address 2001:4801:1221:101:1c10:0:f5:116
Changes in DNS can take time to propagate (depending on the TTL of your records), so give it a couple of hours if records don't show up right away,

5) test that your services are reachable and working as expected over ipv6. You can use ipvfox (firefox) or ipvfoo (chrome) to make sure that ipv6 was indeed used to reach your web server. curl -6, ping6, telnet -6 are also good to test/debug.

To see what services are listening on ipv6, use nmap to run a portscan (from a different machine than the vps itself).

  nmap -6 -P0 -T4 -p0-65535 <domain name or ipv6 address>
6) if you have any kind of monitoring set up to check on your ipv4 services, add monitoring checks for ipv6 as well. Way too often people forget about this and are not notified when their ipv6 setup breaks.

7) run http/https checks with http://ipv6-test.com/validate.php to ensure that connectivity is OK.

Hope this helps :)

link