DevLog 250816 IPv6 Certification + Glue DNS Walkthrough

> Log Date: 2025-08-16

Today I passed the Hurricane Electric IPv6 certification through the Professional (Sage) level. This entry documents everything I did to build my own authoritative IPv6 DNS server from scratch, including tunnel config, glue record logic, and how I hacked BIND to behave long enough to pass.

This was one of those rare runs where every single part of the workflow was new, but nothing was opaque. I understood what I was doing. I didn't have to blindly copy/paste. From IPv6 routing to glue record delegation, this log walks through the full process with a self-hosted BIND server and tunnel from HE.net.


System Overview


Tunnel Creation

After signing up at https://ipv6.he.net/certification/, you can generate an IPv6 tunnel using their broker service.

Configured on server with:

sudo ip tunnel add he-ipv6 mode sit remote 216.66.80.30 local [YOUR_IPV4] ttl 255
sudo ip link set he-ipv6 up
sudo ip addr add 2001:470:b:1dd::2/64 dev he-ipv6
sudo ip route add ::/0 dev he-ipv6
sudo sysctl -w net.ipv6.conf.all.forwarding=1

BIND Glue Records & Zone File

I manually constructed glue records for my authoritative nameserver ns1.arynwood.com which had to resolve with both an A and AAAA:

$TTL 86400
@ IN SOA ipv6.arynwood.com. lorelei.arynwood.com. (
  2025081601 ; Serial
  3600       ; Refresh
  1800       ; Retry
  1209600    ; Expire
  86400 )    ; Negative Cache TTL

@    IN  NS     ns1.arynwood.com.
@    IN  AAAA   2001:470:b:1dd::248
ns1  IN  A      162.248.7.248
ns1  IN  AAAA   2001:470:b:1dd::248

Zone defined in /etc/bind/named.conf.local:

zone "ipv6.arynwood.com" {
  type master;
  file "/etc/bind/db.ipv6.arynwood.com";
};

Verification & Debugging

Checked syntax and restarted BIND:

sudo named-checkzone ipv6.arynwood.com /etc/bind/db.ipv6.arynwood.com
sudo systemctl restart bind9

Ran dig tests to verify A, AAAA, and NS:

dig @localhost ipv6.arynwood.com AAAA
dig @localhost ns1.arynwood.com A
dig @localhost ns1.arynwood.com AAAA

Passed glue and PTR test with HE.net. Reverse DNS remains handled by their GUI.


DNS Quiz Concepts


Post-Cert Cleanup


Next Steps

Eventually I’ll migrate the nameservers on rainkeep off Netlify and delegate my own NS to complete the move. Until then, this was a working IPv6 stack from raw tunnel to glue to authoritative zone file.

Status: Certified Sage. DNS is mine now.

Lorelei Noble

← Back to DevLogs