DevLog 250816 IPv6 Certification + Glue DNS Walkthrough

Today I passed the Hurricane Electric IPv6 certification through the Professional (Sage) level. This entry documents everything I did to build my own authoritative IPv6 DNS server from scratch, including tunnel config, glue record logic, and how I hacked BIND to behave long enough to pass.

This was one of those rare runs where every single part of the workflow was new, but nothing was opaque. I understood what I was doing. I didn't have to blindly copy/paste. From IPv6 routing to glue record delegation, this log walks through the full process with a self-hosted BIND server and tunnel from HE.net.

System Overview

• Domain: arynwood.com
• Registrar: name.com
• Tunnel Broker: Hurricane Electric
• Host OS: Ubuntu 24.04 LTS

Tunnel Creation

After signing up at https://ipv6.he.net/certification/, you can generate an IPv6 tunnel using their broker service.

• Client IPv6: 2001:470:b:1dd::2
• Server IPv4: 216.66.80.30
• Routed /64: 2001:470:b:1dd::/64

Configured on server with:

sudo ip tunnel add he-ipv6 mode sit remote 216.66.80.30 local [YOUR_IPV4] ttl 255
sudo ip link set he-ipv6 up
sudo ip addr add 2001:470:b:1dd::2/64 dev he-ipv6
sudo ip route add ::/0 dev he-ipv6
sudo sysctl -w net.ipv6.conf.all.forwarding=1

BIND Glue Records & Zone File

I manually constructed glue records for my authoritative nameserver ns1.arynwood.com which had to resolve with both an A and AAAA:

$TTL 86400
@ IN SOA ipv6.arynwood.com. lorelei.arynwood.com. (
  2025081601 ; Serial
  3600       ; Refresh
  1800       ; Retry
  1209600    ; Expire
  86400 )    ; Negative Cache TTL

@    IN  NS     ns1.arynwood.com.
@    IN  AAAA   2001:470:b:1dd::248
ns1  IN  A      162.248.7.248
ns1  IN  AAAA   2001:470:b:1dd::248

Zone defined in /etc/bind/named.conf.local:

zone "ipv6.arynwood.com" {
  type master;
  file "/etc/bind/db.ipv6.arynwood.com";
};

Verification & Debugging

Checked syntax and restarted BIND:

sudo named-checkzone ipv6.arynwood.com /etc/bind/db.ipv6.arynwood.com
sudo systemctl restart bind9

Ran dig tests to verify A, AAAA, and NS:

dig @localhost ipv6.arynwood.com AAAA
dig @localhost ns1.arynwood.com A
dig @localhost ns1.arynwood.com AAAA

Passed glue and PTR test with HE.net. Reverse DNS remains handled by their GUI.

DNS Quiz Concepts

• Glue record: A or AAAA record inserted into the parent zone to allow recursive servers to resolve nameservers
• GHOST record: Another name for glue — a hint record that doesn’t belong to your zone
• COM/NET glue authority: A.GTLD-SERVERS.net
• To request glue: You contact your registrar (not ARIN)

Post-Cert Cleanup

• Reverted Netlify DNS to get main site loading again
• Left ipv6.arynwood.com delegated for future tests
• PTRs managed through HE GUI for now (zero config, fully functional)

Next Steps

Eventually I’ll migrate the nameservers on rainkeep off Netlify and delegate my own NS to complete the move. Until then, this was a working IPv6 stack from raw tunnel to glue to authoritative zone file.

Status: Certified Sage. DNS is mine now.

Lorelei Noble

← Back to DevLogs