Using IPv6

Online resources
  • e.g. The IPv6 Usage Map isn't a tutorial, but is mentioned here because this reference material may be quite useful while working with a wide variety of the tutorials.

There are some online guides, which may be meant for certain operating systems. All of the steps to completing this should be covered by multiple virtual machines tutorial and references resources, including installing an operating system (and its references resources).

IPv6.HE.net Certification FAQ has some information: though most of it is related to HE.net/tunnelbroker.com's IPv6 certification, some of it may be useful for more general purposes: perhaps most especially the references to HE.Net IPv6 Video Presentations & Tutorials and the TunnelBroker.net forums (about IPv6.HE.net certification).

Here is a reference to some of the other reosurces that may help:

This guide
Excellent!
Hurricane Electric's own resources

Hurricane Electric's IPv6 Video Presentations & Tutorials has a PDF Slideshow and a video presentation. For most tests, that may be the most recommended official resource presented by Hurricane Electric. However, for the first test, the Primer will be even better.

Rob Pickering's guide

Screenshots for Mac show up on Redirect to Rob Pickering's guide to being a Certified IPv6 Techncian: Part 1 (which, of course, redirects to Rob Pickering's guide to being a Certified IPv6 Techncian: Part 1). Unsurprisingly, also available is Redirect to Rob Pickering's guide to being a Certified IPv6 Techncian: Part 2 which redirects to Rob Pickering's guide to being a Certified IPv6 Techncian: Part 2. The latter shows using Postfix.

Sam's Class

Another resource is: How to Earn IPv6 Certifications (on Windows, Part 1) (using Microsoft Windows, and GoDaddy), and How to Earn IPv6 Certifications (on Windows, Part 2).

There are certainly other resources about IPv6 other than just those designed to help get this certification. For example, Part 2 of Rob Primer's guide also references SixXS IPv6 FAQ.

A recommended order of operations

Any recommendations provided by this section are largely made subjectively. So, this whole section about a recommended order is simply meant as a guideline that may be considered. There are situations where there may be reasons (ranging from whimsical desire to compelling cases) to re-arrange the order, and that may be fine. Clearly an attempt to repair a previous Internet connection to a production environment may have some issues that will be demanding higher priority. In such a case, getting traffic routing working so that individual computers can become functional (possibly with workarounds such as manual assignments of variables like which network (IPv6) addresses to use, and which DNS servers to use) may be an escalated priority. Re-arranging this provided order of recommendations is fine.

External Internet access
Signing up for services

External Internet access is a piece of the entire IPv6 design that may be good to start working on sooner, rather than later, in case there are any delays from external organizations. So, that topic will be discussed first. If Internet access isn't going to really be functional until it is set up on a local site, which is most commonly the case, then at least start the process of signing up for any required service.

In the rare case that newly provided service might start functioning automatically, take a brief look at the next segment, protection of the (IPv6) network, before signing up for the service.

[#ipv6onv4]: Get IPv6 support when (only) IPv4 is already available

If using Internet access which only provides forwarding and routing for IPv4 packets, then using a tunnel broker may be needed to access sites on the Internet which are communicating with only IPv6. Wikipedia's list of IPv6 tunnel brokers may provide some options. (This step may not be required to happen first, but in case time is required for the creation/approval of an account with the tunnel broker selected, it makes sense to sign up early in the process. That way, progress on other task can occur while waiting for the account to be fully created/authorized.)

(This involves setting up an account as needed. There aren't many details about this here since this has been done once by the author (so there's no particular need for a new account), but wasn't meticulously recorded at the time. Further details are expected later when the guide's author has a chance to assist other people each creating their own first/initial account.)

[#prti6net]: Protection

Any computer with network access should be suitably protected from an Internet-based attack. Have good network protection, including any suitable firewalls, before connecting any devices to the Internet.

This specific guide may not, at least initially, focus much on protective steps. However, ensuring proper protection is something to constantly keep in mind whenever new network connectivity (whether physical or logical) is being established. Any vulnerability even if fairly temporary, may be sufficient for a breach. Such breaches are easier to prevent than what they may be to detect, so be careful throughout this entire process (and in the future, whenever working with such connectivity).

Testing the access

Good ol' ICMPv6... Or, if this text gets read shortly after it was written, perhaps that phrase isn't yet applicable. In that case: Good new ICMPv6...

For those who are using a tunneling service, the tunnel may need to be set up. (This may tecnhically fall under the category of “routing” traffic.)

Understanding terms

In this brief text, the term “address assignment” is meant to refer to assigning a network address (a IPv6 address) as well as the most critical of routing details: the prefix length (which, for IPv4 networks, was most commonly implemented by using a “subnet mask”). References to configuring routing is, in this section of text, not meant to refer to determining whether local traffic goes to another machine on the same network. That is determined using the information of the prefix length, which is one of the basic address assignment settings that should work for even communication on the local subnet to be functional. References to setting up “routing” configuration is meant to refer to handling traffic that goes to machines that are not part of the same subnet.

Although routing may be fairly advanced (using protocols to be setting new routes automatically), the term “routing” may be as simple as setting a default gateway. (For machines to communicate to other machines on a logical subnet, the “routing” probably doesn't require any sort of configuration beyond what is included in part of the process of assigning the most basic network settings, which are the address assignment and the prefix length.)

The term “routing” does refer to making sure that all subnets can communicate to any other subnets that need to be reachable. So, setting up a firewall to allow needed traffic would be considered to be part of this concept of “routing”. The degree of importance of routing may have some sort of a proportional relationship to how many subnets are being used.

Additional routing may be a next highest priority

To some extent, getting external/upstream Internet working is a piece of traffic routing.

Beyond that, there are some cases where getting routing to be sufficiently working can be top priorities.

One of those cases is if functionality on an existing network is something that a person is trying to fix while the person is working on things remotely (particularly if there is no person on site who can help by following instructions to make changes to undo any problems that may get created). In such a case, be very careful not to make a change that disrupts whatever remote access is currently working. Getting routing to work more fully can be necessary to be able to access specific (remote) resources, so the priority of routing can be pretty high in such cases.

If there is an existing network, and if there are multiple people to work on other components of the working Internet access, then the next highest priority for qualified/authorized personnel may be to take care of routing. This way, other personnel who are working on other tasks can potentially get other things to function, but broken routing can be a severe bottleneck that prevents other technicians from being able to successfully accomplish those other tasks. (This may be less of a compelling reason to focus on routing if there are not additional technicians who may be getting other things working while working routing is set up.)

However, for a brand new network, routing may not be nearly as critical, as there may not initially be much to route.

A new/test network

For a network testing brand new IPv6 access for the first time, in a test/design environment where sufficient time has been allocated (and impending deadlines are not seeming problematic), then witnessing a working DNS client can be uplifting. This is largely because working name resolution helps to create a basic Internet experience that seems much more complete/functional. Getting name resolution to work shouldn't take terribly long, and then one can feel that yes, this really is going to work, while spending more time on goals of spreading this Internet functionality. In contrast, spreading the Internet functionality before the Internet functionality seems very functional may be an effort that feels less rewarding as “broken” Internet is being spread.

Existing networks

In cases other than a new/test network like what was just described, it may be nicer to focus on other tasks first.

Key among them will be determining what address ranges will be used for the local/downstream subnets. For new networks, that is often decided when implementing address assignment. (For existing networks, checking configurations on existing routers, or perhaps other network infrastructure components such as firewalls, may provide the information about what has been used.)

It will generally be needed for computers to have useful network addresses (other than just link-local network addresses). If computers do not have this yet, and if no other staff members are going to be getting addresses assigned, then focus on address assignment (so computers may start to have working addresses). Otherwise, just use whatever addresses may currently be assigned (for testing and/or verifying working functionality), and focus on routing.

Spreading connectivity

The three things to focus on are address assignment, name resolution, and routing.

If external Internet access is not yet being provided (by the Internet provider), and if all resources are on a single subnet, then routing may be a much lower immediate priority than getting automatic address assignment working so that computers can access internal resources. However, on larger networks, routing may be necessary even to be able to access some internal resources. (However, such larger networks typically have enough of a budget that they should probably be having working Internet access very quickly. The owners/management of an organization may not like having such an expensive network being mostly operational but, for any substantial length of time, lacking Internet access.)

It may often make sense to delay efforts to get name resolution widely working until after automatic address assignment is widely working, because the solution for automatic address assignment may be helpful to quickly deploy a solution for getting name resolution settings spread around. Also, in many cases there will be more people who know how to deal with broken name resolution (possibly by using an external name resolution server) than people who will know how to correctly assign a network address that can communicate to other devices on the subnet.

Accessing certain servers, including external name resolution servers, may require that routing is sufficiently working and set up.

If external resources are being used, and if internal resources are largely unused, then routing will likely be more crucial than automatic address assignment. Once routing works, then machines with manually configured settings can start to work, but until routing works, that won't happen. Once manually configured machines are working, then setting up automatic addresses will likely be the next more important step.

Software support

Network features may be what people find interesting from a network, although such features may often require working infrastructure to be generally useful for many people.

Getting access to the IPv6

Getting onto the IPv6 involves connecting to a device that is on the IPv6. A nice solution may be available if a known commercial Internet Service Provider is provided acceptable connectivity locally. For others, the solution may be to connect to a local tunnel with a remote endpoint that is connected to the IPv6 Internet. Fortunately, there are some organizations called “tunnel brokers” that provide this service for people connected to the IPv4 Internet.

Goals of this tutorial include covering the following topics:

  • Setting up IPv6 and accessing IPv6 sites on the Internet, even if using an IPv4 Internet connection.
  • Signing up for a tunnel broker and obtaining a block of addresses
  • Distributing IPv6 addresses within an organization
Name resolution

After the first successful response from an ICMPv6 packet, the next most interesting thing to do may be to try some other protocols. However, when using various software to determine connectivity, the concept of getting working name resolution will quickly start to look like an attractive goal worth pursuing.

Goal(s) of this tutorial include covering the following topic(s).

  • Resolving (DNS) domain names to IPv6 addresses
Address assignment

(Further details may be added here at a later time. For now, the site's guide to network addressing is a resource that might be helpful.)

Routing

(Further details may be added here at a later time. For now, the site's guide to routing network traffic is a resource that might be helpful.)

Software support

Network features may be what people find interesting from a network. Once required working infrastructure is in place, popular features like file sharing on an internal network, or services reachable from the public Internet (like VPN servers) may be things that people are clamoring to be able to use.

For software that supports IPv6 addresses, a lot of common usage may require no difference by the end user. End users may often primarily interact by using names provided by name resolution servers, so end users may not even have a need to be able to notice whether the traffic is using the IPv6 protocol or the IPv4 protocol.

An exception may be when users try to use link-local addresses, because then the address and prefix length do not determine which NIC is used to route the traffic. However, since people may often be able to use other types of network addresses, the need for a user to specify such trafifc routing is likely to be rare except when troubleshooting/debugging network connectivity.

Day to day interactions with popular tasks like browsing the world wide web, using E-Mail, and sharing files on a local network, and perhaps even initiating VPN connectivity, might not require any changes in how a user interacts with the system.

Determine what services support IPv6.

Configure/upgrade/replace as needed.

Admittedly, that last sentence may be much more brief than the amount of effort that may be needed to implement that. This guide may expand at a later time.

Certification

Getting Hurricane Electric Free IPv6 Certification. http://ipv6.he.net/certification says, “We aim to provide you with something to do after your first IPv6 ping.”

Well, that sounds like a nice slogan. Things like working name resolution may be pretty high up on the list of things to do after the first round-trip ICMPv6 packet. Having routing and automatic address assignment can also be pretty nifty things to get working early on. These things may often be implemented internally, and so not be focused on so much by the remote “tests”/“configuration verification” that is provided as part of Hurricane Electric's certification program.

Still, it's a nice test of external resources.

Sages by region

Signing up
Go to http://ipv6.he.net/certification and Register for an account.
The first test (“Newbie Test”) (Using info from the Primer)

Once signed up, here is a hint for the first test: don't hestitate to use online resources. The tests seem designed to get people familiar with setting up functional IPv6 networks, rather than being focused on whether arcane knowledge is memorize. This is particularly evident from later steps in the test which will have Hurricane Electric's computers verifying successful operation of IPv6 functionality.

The IPv6 Certification Scorecard (for someone who has passed the test) will describe this test as follows: “This is a basic level test of the information” in the “primer”. So, see HE.Net's IPv6 primer at http://ipv6.ne.net/certification/primer.php for the needed information. The IPv6 Certification Scorecard goes on to say, “With this primer at hand these questions should be a snap for you.” So, there does very much seem to be the intent to allow the resource to be used as part of the test.

If the answer for any question isn't fully obvious from the primer, simply check out other resources. For instance, Rob Pickering's guide mentions the characters that may appear in an IPv6 address (which are digits and the letters a, b, c, d, e, or f: they are traditionally written in lowercase letters.)

Once this has been passed, Rob Pickering's guide to being a Certified IPv6 Techncian: Part 1 points out that people who pass this test have become “a certified Newb”. (The comment just couldn't be passed up due to the obvious reason: the website follows up the remark with the quarter-hearted apology: “(sorry just too funny)”). So, for those who have passed this guide, congratulations. Hurry up and gain another level so that a new rank may be provided.

Explorer Test (Having IPv6 (Native or Tunneled))

The IPv6 Certification Scorecard (for someone who has passed the test) will describe this test as follows: “This test validates that you have Native or Tunneled IPv6.”

Enthusiast (WWW test)

Several steps will be needed to reach Enthusiast level.

  1. The first part is to have DNS working, because one of the later parts will require an FQDN to be provided. The test notes, “The Domain you provide below will be used in future DNS tests.” (This will be evident with the Guru level test.)
  2. The next part is to set up an online web server that provides access to visitors who use IPv6.
  3. The next part is that, naturally, the DNS server should have a configuration so that details are provided for the specific IPv6 website that has been set up.
  4. TunnelBroker.net Certification website will have a button that says “Generate Code”. Press that button, and the web browser will replace the button with a code. This code may look something like a couple of digits, four letters, a digit, and three letters (all lowercase). (This is step #1 on the web page's test. The prior steps are simply needed to prepare to succeed in the following steps.) The code is provided by the certification site, and so is not choosable by the end user.
  5. Fill in the domain name in the web form, and click “Create URL”. (The FQDN is something that the end user can input.) This will show a URL, which may start with the FQDN provided and then consist of a filename that starts with the code provided and then the common extension for a text file. So if the code provided is 12abcd3efg and the FQDN was hetbcert.example.com then the URL may look something like http://hetbcert.example.com/12abcd3efg.txt
  6. Make sure that a file exists at that URL.
  7. Test things: Visit that URL from the outside IPv6 Internet. Make sure the file is successfully downloadable/viewable. (Make sure that aren't any sort of problems with DNS, the HTTP web server, or the website content (e.g. if permissions are not allowing the website content to be viewed).
  8. On the Certification site, click on “Test It!”
  9. If all goes well, the words “File Fetched” (or something like that...) will show, and then the certification site will proceed to a questioneer. The second question likely does have a correct answer, while the rest seem to simply be information gathering.
Administrator (SMTP server test)
  1. Presumably, DNS continues to work after the Enthusiast test.
  2. Set up an E-Mail server
  3. Verify it is receiving E-Mail okay
  4. On the certification website, choose to Generate a code. This time, the results may replace the button with “Generated” (instead of showing a code).
  5. Note: The E-Mail server's IPv6 address that gets used for this test will also be used for future test(s) including the Professional level (and others?). So, make sure the IPv6 address being used is one that you have full control over. (Especially: Make sure that the IPv6 address is one where Reverse DNS can be set to the E-Mail server's DNS name.)
  6. Provide an E-Mail address (e.g. user@example.com)
  7. Click on the “Send It!” button in the “Data” column on the certification site. The button will be replaced with the result: it should show “Successfully Sent!”
  8. Read the E-Mail. It should come from ipv6@he.net with a subject of “IPv6 Certification Mail Test” and say, “Please insert the following code into the website at http://ipv6.he.net/certification: ab1c2de3fg
  9. Enter the code into the field next to the “Submit” button, and then press that button.
  10. The button will be replaced by a button that says “Pass”. However, that button does not need to be clicked: this will then proceed.

After taking the Administrator Test, the desired score is 241. However, this proceeds straight into the Administrator Questionnaire, which becomes an easy way to net another four points.

Administrator Questionnaire

These are the questions that have been asked for the Administrator Questionnaire.

Question #1: “What features of IPv6 do you see yourself using?” (Possible answers: a text box to input any answer.)

Question #2: “If you were setting up a network of 12 million hosts that all needed their own unique globally routable addresses, which protocol would you use?” (Possible answers: IPv4 or IPv5 or IPv6 or IPx or IPng. Of those, IPv6 is the most sensible answer.)

Question #3: “Do you plan on making sure your workplace is IPv6 ready before IPv4 exhaustion?” (Yes/No. As IANA is exhausted, the correct answer may depend on how HE defines IPv4 exhaustion.)

Question #4: “Do you think that any of your co-workers or friends would find Hurricane Electric's IPv6 certification useful?” (Possible answers: “Very much” or “Somewhat” or “Not at all”)

Question #5: “Do you think you would benefit from using Hurricane Electric's free IPv6 certification process at work?” (Possible answers for Question #5 are the same as possible answers for Question #4.)

After taking the Administrator Test, the desired score is 245. However, this proceeds straight into the Administrator Questionnaire, which becomes an easy way to net another four points.

Professional (Reverse DNS)

Time to make sure that Reverse DNS is working.

If the mail server is at 2001:db8::2 then use:

nslookup -q=PTR 2.0....8.b.d.0.1.0.0.2.ip6.arpa

Now chances are that may not be working yet. If that doesn't work:

Make a PTR record

First, get the DNS server to have the needed information, so that it at least provides the right information if queried directly. (Then, spreading the information publicly will be covered next.)

Make a PTR resource record.

Verify the PTR record by querying the DNS.

Test from the outside

If the DNS server was working for both IPv6 and IPv4 before, then chances are good that both IPv6 and IPv4 are working now. So (at least initially) the test may be performed by doing a query over either IPv6 or IPv4. Note that the remote end testing might need to flush any DNS cache that is being used. Make sure that a remote end can get the needed DNS information without specifying a specific server. (With a cleared cache, the remote end should determine the correct DNS server to use.)

(Further information about PTR records may be useful here?)

Pass, rDNS

Score jumps up to 370. Answer the Questionnaire for another 5 points per question.

Questionnaire

Question #1: “With regards to the server configuration portion, what level of difficulty would you rate it?” (Possible answers: “Trivial, Very easy, Easy, Hard, Impossible”)

Question #2: “Hurricane Electric would like to make sure you are completely happy with our free IPv6 certification process. Please rate your satisfaction on a scale of 1 to 5; 5 being completely satisfied, 1 being completely unsatisfied.” (Possible answers: “5 - Completely Satisfied”, “4 - Somewhat Satisfied”, “3 - Indifferent”, “2 - Somewhat Unsatisfied”, “1 - Completely Unsatisfied”)

Question #3: “Have you asked your provider about when they plan on supporting IPv6?” is Yes/No. Question #4: “Do you think that Internet oriented companies (software, hardware, or service providers) need to be IPv6 ready before IPv4 exhaustion?” is Yes/No.

Guru test (Nameserver on IPv6)

The goals provided are: “The Name Servers for enthusiastdomain.example.org need to have AAAA records”, and “Those nameservers need to respond to queries made via IPv6” (The domain provided is the same domain as what was used in the Enthusiast-level test.)

The first step shows instructions, “If you need to edit off any subdomains to make it work, please do so” with the provided text box. An editable textbox has a default value of the domain used with the enthusiast level (e.g. “enthusiastdomain.example.org”, without quotation marks).

One possible option, as noted by Sam's Class: Hurricane Electric IPv6 Certification (Windows Version) Part 2, is to have the domain use Hurricane Electric's nameservers. This means setting the NS RRs in DNS to point to Hurricane Electric's nameservers. The positive benefit to doing that is that Hurricane Electric's nameservers will pass the tests, so that seems to be an easy way to pass this particular test. However, using your own nameservers should be rather trivial. Following are the small number of steps:

First, figure out what the nameservers are. e.g.:

nslookup -q=NS enthusiastdomain.example.org

Does that show any NS records? If not, try chopping off the first subdomain (that hasn't yet been chopped off by repeating this process as necessary). e.g.:

nslookup -q=NS example.org

Example output:

$ nslookup -q=NS the.example
Server:         192.0.2.1
Address:        192.0.2.1#53

Non-authoritative answer:
the.example      nameserver = ns.the.example.
the.example      nameserver = a.ns.the.example.
the.example      nameserver = ns1.the.example.
the.example      nameserver = b.ns.the.example.
the.example      nameserver = ns2.the.example.

Authoritative answers can be found from:
the.example      internet address = ns.the.example.
the.example      has AAAA address = ns.the.example.
the.example      internet address = a.ns.the.example.
the.example      has AAAA address = a.ns.the.example.
the.example      internet address = ns1.the.example.
the.example      has AAAA address = ns1.the.example.
the.example      internet address = b.ns.the.example.
the.example      has AAAA address = b.ns.the.example.
the.example      internet address = ns2.the.example.
the.example      has AAAA address = ns2.the.example.

$

The above example clearly shows that each nameserver does have an AAAA record. The important part is the section showing the answer. (It probably does not matter much whether the answer is authoritive or not. That simply is a result of which nameserver was used for this lookup.) That section shows five nameservers in the example. Use separate lookups if needed, and make sure that each of those nameservers has an AAAA address. If so, go ahead and proceed with the certification process. To do that, on the certification website, fill out the name of the subdomain to test (e.g. enthusiastdomain.example.org or a chopped variant, such as example.org. Then click on the “Test It!” button next to “Check to see that the nameservers associated with enthusiastdomain.example.org have IPv6 AAAAs”. on the certification website.

The button should be replaced with “Success”.

If the nameservers have AAAA records pointing to the IPv6 addresses used by the nameservers, and if IPv6 connectivity to those nameservers does in fact work, then choose the next “Test It!” button, which is the one by “Check to see that the nameservers associated with enthusiastdomain.example.org are IPv6 accessible”.

The button should be replaced with “Success”.

This may cause a 100 point jump, up to a desired 490 points. Also, a questionnaire shows.

Questionnaire

Do you feel like you learned (or refreshed) your knowledge by completing the Hurricane Electric IPv6 certification process?

  • Very much
  • Somewhat
  • Not at all

Question 2
Are you able to understand the material?

  • Yes
  • No

Question 3
Do you feel good about the Hurricane Electric free IPv6 certification process?

  • Yes
  • No

Question 4
Have you asked your domain name registrar if they support IPv6?

  • Yes
  • No
Sage Test (DNS IPv6 Glue Records)

“To complete the Sage Test you will need the authoritative nameservers for your domain, enthusiastdomain.example.org” [to] “have IPv6 glue at the registrar”

“Before submitting the test, please check the following requirements:”

  • “Your top level domain(TLD) must be IPv6 glue enabled.
    To check your TLD, please visit DNS report
  • “Your domain registrar must support IPv6 glue”
Checking the local nameservers

The first part of this test has a very similar feel to the Guru test. There is a text box next to step 1, “Edit your submitted domain to a substring if needed”. This text box shows the domain name used from the Enthusiast level, e.g. enthusiastdomain.example.org. Chop off one or more subdomains (e.g. chop off a subdomain from enthusiastdomain.example.org) if needed, so the test may involve just testing the main domain e.g. example.org).

With step #2, “Verify AAAA records of the namesevers for your domain”, just make sure the nameservers for the domain has AAAA records for the domain. Step 2's "Test It!" button was replaced with "Done". Also, the “Description” column showed “Completed: Displaying NS information” followed by details about the nameservers:

ns.example.org. 2001:470:a:1234::2
ns1.example.org. 2001:470:a:1234::2
ns2.example.org. 2001:470:a:1234::2
a.ns.example.org. 2001:470:a:1234::2
b.ns.example.org. 2001:470:a:1234::2

Since the output shows a bunch of information about nameservers, this may start to feel like the nameservers themselves were being tested. However, testing the nameservers was part of the Guru test. This test is really more about the domain.

Verifying the IPv6 glue

There is another requirement that the test may not be explicitly mentioning: the specific domain must be using IPv6 glue. So, before having the certification site run its tests, verify what IPv6 glue is being used for the domain.

For example, if this is a domain ending with .com, then choosing the “Test It!” button by step #3, “Verify IPv6 glue at TLD”, will show:

“TLD: com
“TLD Server: a.gtld-servers.net.

In Microsoft Windows, one may use:

nslookup -d example.com a.gtld-servers.net.

That uses the -d parameter described by TechNet: (Win2K TCP/IP?): Nslookup documentation, which “Lists all records”. In Linux, that command line does not seem to work. (No equivilent command line for Linux's nslookup has been found, either.) If the dig command is available, the following may work:

dig +norec @a.gtld-servers.net. example.com. NS

Look for the additional records. (nslookup shows a section called “ADDITIONAL RECORDS” and dig shows a section called “;; ADDITIONAL SECTION:”).

It is currently believed that is how the glue records are determined.

Review: Rob's guide part 2 shows a warning about a particular nameserver (ns1.he.net).

If a registrar (or TLD) does not support IPv6 glue

Three options:

  • Bug the organization. Encourage support for IPv6 glue
  • Switch to a different provider
  • Take the “out of bailiwick” approach

The last of those options simply means using a nameserver that is in a different domain. Specifically, this approach will require using a nameserver that is in a domain that is handled by a registar that supports IPv6 glue with the TLD (which implies that the TLD also supports IPv6 glue).

Hurricane Electric's IPv6 Video Presentations & Tutorials has a PDF Slideshow and a video presentation. In the for Sage level, video presentation, Tay says, “Your top-level domain must be IPv6 glue-enabled. If not, you must get a different TLD or use use "out of bailiwick". The term "out of bailiwick" means that the nameserver for your domain is not in the same domain.”

Once the IPv6 glue records are ready

If those glue records exist and show AAAA records, then great. Proceed with the test.

If successful, the “Description” column will say something like:

TLD: com
TLD Server: a.gtld-servers.net.
dig AAAA ns1.example.com. @a.gtld-servers.net.

IPv6 Glue record found: ns1.example.com. AAAA 2001:470:1:9ab::2
Congratulations! You've completed our IPv6 Certification

Then, like previous tests, the web page will automatically forward to a questionnaire. Current score may show as 510.

Sage Technical Test
http http://technet.microsoft.com/en-us/library/cc771640.aspx provides a term for a record type.

After the Sage Technical Test, may be up to 605. This is assuming successful completion of: Newbie Test (5/5), Exporer Test (1/1), Enthusiast Test (1/1), Enthusiast Questionnaire (5/5), Administrator Test (1/1), Administrator Questionnaire (4/4), Professional Test (1/1), Professional Questionnaire (4/4), Guru Test (1/1), Guru Questionnaire (4/4), Sage Test (1/1), Sage Technical Test (9/9)

Additional Tests

In the left frame, there is “Additional Tests” section.

http://robpickering.com/2011/03/how-to-become-a-certified-ipv6-technician-%E2%80%93-part-two-486 says, “After taking the Sage Technical Test you should have 900 points listed on your badge.”
Enthusiast Technical Test
http://ipv6.he.net/certification/testing.php?t_id=10 Worth 30 points
Admnistrator Technical Test

pre-score 635

http://ipv6.he.net/certification/testing.php?t_id=11

Hurricane Electric is not going to be encouraging use of IPv4 0.0.0.0/0, so Rob points to: http://www.tunnelbroker.net/forums/index.php?topic=355.0 These 11 questions are worth 5 points each, so 55 points total.

Professional Technical Test
http://ipv6.he.net/certification/testing.php?t_id=12 22 questions at 5 a piece is 110 points
Guru Technical Test
pre-score.... 800 http://ipv6.he.net/certification/testing.php?t_id=13 maybe? http://ipv6.he.net/certification/testing.php?t_id=13 http://robpickering.com/2011/03/how-to-become-a-certified-ipv6-technician-%E2%80%93-part-two-486 recommended: http://packetlife.net/blog/2008/aug/28/ipv6-neighbor-discovery/
Once a sage...

First, get 100 points by getting a free piece of swag: Hurricane Electric's annoucement about a free T-Shirt. The score card will increase by 100 points, and show an entry, “Validate address and T-shirt request ; Score: 1 / 1”. “This test requires you to validate your address and select a size for Sages's T-shirt.” Sizes have been known to be S, M, L, XL, XXL, and XXXL.

Wordpress article about getting points as a Sage has some good tips. The first is: Obtain some Internet sites that are known to support IPv6. If Hurricane Electric does any sort of automated processing with the submitted data, it might be nicer for Hurricane Electric to have a wide variety of sites being submitted. So, simply going to a common source to get Internet sites may not be the most helpful route. Furthermore, it is possible that part of HE's goal is to have people exploring the IPv6 Internet, by seeing what reguarly-visited Internet sites are supporting IPv6 on the Internet. That being said, it may be useful to gather a list of sites, for those days when tiredness outweighs feelings of exploration desire. The Wordpress article mentioned makes a reference to sixy.ch. (Note: The website at http://Sixy.ch has a logo that looks more like “6ixy.ch” but 6ixy.ch is not the same site (and may not be a valid site). So, be careful, if needed, to remember the site's right name (and not just the logo).)

Another great hint is: record the progress. Each day, make a habit of recording when the test was done. (That way, the following day it can be easily remembered exactly what time the test was done. That way, tests the next day won't be attempted after 23 hours and 45 minutes, which could lead a person to just decide to wait until hours later.) Also, record the IPv6 addresses. If simply storing this in a text file, sort by IPv6 address as data is entered. This could, after dozens of days have passed, prevent accidental re-submission of the same IPv6 address (which could be especially easy to happen if two very different DNS names happen to IPv6 addresses that are too similar. For instance, perhaps addresses that come from the same /64 block might be considered to be too similar?)

Check score

It seems that the score tends to jump up 5 points at a time, when doing a specific test (perhaps the Traceroute test). This step is entirely optional: Go to http://ipv6.he.net/certification/scoresheet.php?pass_name=username (customizing the username portion at the end of the URL). See the old score, which will help to determine what the new score is if/when a test is completed. Also optional: after each test, check for a score increase.

Traceroute

This test is particularly likely to show contents of the internal network being used. (The output may vary based on what subnet the test is run from.)

See: traceroute commands for details. This could be as simple as running “ traceroute6 example.com ” or “ traceroute -6 example.com ” or “ tracet -6 example.com ”, depending on the operating system being used.

It seems that sometimes “ traceroute6 example.com ” likes to show all the details up to, but not including, the last hop. Then subsequent systems are shown as stars. Such results should probably be considered to be an invalid traceroute. In some cases, better results have been known to be obtained by running a “ traceroute6 example.com ” (to the same destination) from another machine on another network. Another option may be to adjust things: simply change which IPv6 address will be used for the daily tests. An Internet site which will likely work better will be the last system that shows in the traceroute6 results which did show a valid domain name. By showing up, that Internet site is likely able to be communicated to easily, and by showing a name, that site likely has a suitable Reverse DNS name.

Store the results of that test, as some of the information (namely the DNS name and IPv6 address) will be useful for later tests. Also, host names mentioned may be useful later as possible sites that may be used for later daily tests.

Log into the Certification site at http://ipv6.he.net/certification/ if that hasn't been done yet. When logged in, go to the hyperlink that says “Submit an IPv6 Traceroute” (in the “Daily Tests” section on the left site of the Certification page). Submit the findings. Be careful that the process of copying the results (and pasting the copied text into the web form) does not mutilate/transform/alter any white space.

If all is well, the website will show some results, including the results of a ping6 command that Hurricane Electric runs, and hopefully also including the text “Result: Pass”. If so, check the scorecard, to see if the TraceRoute test has given 5 points.

Dig AAAA Test
dig example.org

... or, on many Unix machines, the following may be a bit nicer:

dig example.org | tee /tmp/digaaaa-$USER.txt

This will do a query for an “A” record, although there might be an AAAA record in the “ADDITIONAL SECTION”. (On the other hand, there might not even be an section called the “ADDITIONAL SECTION”.) If there is not an AAAA record provided in the “ADDITIONAL SECTION”, do a query for an AAAA record, using the syntax:

dig example.org AAAA | tee /tmp/digaaaa-$USER.txt

Using that syntax, which is more likely to provide desirable results than the first syntax shown, see if there is an AAAA record in the “ANSWER SECTION” or the “ADDITIONAL SECTION&Rdquo;. If so, then a suitable IPv6 address may have been successfully looked up, so try submitting the results. If not, try another site. Hint: If any nameservers had their DNS names show up on the “AUTHORITY” section, those may be suitable machines. It is more likely that those machines are run by an ISP, who may be more likely (than an average end user) to care about Reverse DNS. So the nameservers might be a good machines to try querying.

Make sure the web browser is still logged into the Certification site at http://ipv6.he.net/certification/ if that hasn't been done yet.

When logged into the Certification site, go to the hyperlink that says “Submit an IPv6 DIG AAAA” (in the “Daily Tests” section on the left site of the Certification page). Submit the findings. Be careful that the process of copying the results (and pasting the copied text into the web form) does not mutilate/transform/alter any white space.

If all is well, the website will show some results, including the results of a ping6 command that Hurricane Electric runs, and hopefully also including the text “Result: Pass”. The website will also mention the IPv6 address that was provided from the query for an AAAA record. Copy that address to the clipboard of the computer with the web browser, if that action will be convenient for running the next test.

DIG PTR

Have the IPv6 address handy. This address may come from the output of the dig command from the previous test, or from the website's output, or from using traceroute6 or ping6, or even a new lookup using “nslookup -q=AAAA example.org ”.

Run a command such as the following, customizing the IPv6 address.

dig -x 2001:db8::e PTR +noauthority +noadditional

... or, on many Unix machines, the following may be a bit nicer:

dig -x 2001:db8::e PTR +noauthority +noadditional | tee /tmp/digptr-$USER.txt

Note: The above instructions go squarely against the instructions from the website, which state, “Please enter your dig query 'output' below using the -x method (and do not use any other special flags like +short)”. However, if following those instructions from the website, experience has shown that the output may not be accepted. (In fact, this discrepency was a key motivation in deciding to create this guide to taking the daily tests.)

Check that an answer section does show info. If not, a probable cause is simply that the Internet site being queried does not have available Reverse DNS information, so use a different Internet site.

When logged into the Certification site, go to the hyperlink that says “Submit an IPv6 DIG PTR” (in the “Daily Tests” section on the left site of the Certification page). Submit the findings. Be careful that the process of copying the results (and pasting the copied text into the web form) does not mutilate/transform/alter any white space.

If all is well, the website will show some results, including the results of a ping6 command that Hurricane Electric runs, and hopefully also including the text “Result: Pass”. The website will also mention the IPv6 address that was provided from the query for an AAAA record. Copy that address to the clipboard of the computer with the web browser, if that action will be convenient for running the next test.

This test may be the one that seems most likely to reject entries because of prior use. If a /64 has been used, then using the same /64 may not work. Additionally, the site does seem to have rejected some entries which were not used before (according to carefully maintained documentation), so if a submission is rejected then don't feel alone. Rather, proceed to try another IPv6 address until one is suitable.

Note: If looking at a list of IPv6 addresses for various sites, it might be true that the administrator was more likely to set up Reverse DNS information for the site if the site has an address ending in ::1 or another such low number in the netblock.

Ping

The web page requests to use the IPv6 address to to use -n which is probably intended for Unix's command where -n typically causes numeric output to show. (Experience has shown that using -n may not be technically required. However, there's little reason to submit less preferred input.)

ping6 -n -c 1 example.org

For Microsoft Windows:

ping6 example.org

When logged into the Certification site, go to the hyperlink that says “Submit an IPv6 Ping” (in the “Daily Tests” section on the left site of the Certification page). Submit the findings.

Whois

The syntax that is needed may differ based on what site is being visited. The lookup will be done specifying the IPv6 address, but the registry to specify may be more clear by checking the domain.

(Related concept/info: WHOIS.)

ARIN sites

This includes North American sites, and the “generic” TLD's such as .org

The following may work for an IPv6 address that is related to a domain using a TLD ending with .org

whois -a 2001:db1::e
RIPE sites

The following may work for an IPv6 address that is related to a domain using a TLD ending with .co.uk or .cz or .it

whois -r 2001:db1::e
Other/misc

If the country code is a TLD of “.tld”, try something such as:

whois -c tld 2001:db1::e

If that doesn't work, in Unix try:

whois -a 2001:db1::e | grep ReferralServer:

In Microsoft Windows, if a whois command has been added to the system, the equivilent would be:

whois -a 2001:db1::e | FIND ReferralServer:

That may show output such as:

ReferralServer: whois://whois.ripe.net:43

That would be a strong indication to use RIPE. (Another strong indication would be many of the other lines referencing RIPE, if the output isn't piped through a filtering command.) In that case, either use the command shown for RIPE, or use a syntax such as:

whois -h whois.ripe.net 2001:db1::e | tee /tmp/whois-$USER

The output should show some sort of reference to an Admin Contact and a Tech Contact.