Noticed this weekend that I couldn’t respond to emails on my personal hosted domains. I thought at first first they changed my PD prefix, but it was up to date in Postfix. Tried submission port and it worked just fine. So looks like Comcast finally caught up with “feature parity” in disallowing outbound SMTP connections on TCP 25.
Not certain how much this actually counts as “Spam over IPV6” though. It was only the last bit of delivery to my account where IPv6 was involved. It still originated from IPv4.
Received from relay-6.dlfw.twtelecom.net ([2001:4870:6082:1::72]) by he.net for ; Tue, 13 Nov 2012 11:57:38 -0800
Received from localhost (unknown [127.0.0.1]) by relay-6.dlfw.twtelecom.net (Postfix) with ESMTP id 223346021E; Tue, 13 Nov 2012 12:47:42 -0700 (MST)
Received from relay-6.dlfw.twtelecom.net ([127.0.0.1]) by localhost (relay-6.dlfw.twtelecom.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMxIEAmBj2TU; Tue, 13 Nov 2012 12:47:42 -0700 (MST)
Received from aol.com (unknown [188.8.131.52]) by relay-6.dlfw.twtelecom.net (Postfix) with SMTP id D73BD60094; Tue, 13 Nov 2012 12:47:32 -0700 (MST)
Even though I’m no longer with HE.NET, I still take pride in what we did for IPv6 during my time there. One of the things I was happy to help create was the IPv6 Certification Program. In fact, I’m the first Sage, and not just because we had to make sure the tests worked 😛 I did it with one of my personal domains.
History: The program was born from the critical mass of two things going on at HE.NET
- The CEO pushing staff to get more accredited certifications completed
- The CEO asking to get 80-100 links to tunnelbroker.net while Sam and I rebuilt the front and backends
On one of those random 2AMs where I was looking at stuff to tweak for the broker, I was also updating various wikis on the internet with updated instructions for using it. A quick way to update and get fresh links to the site. I started thinking that we needed something else, that you could put on your website like a seal of approval or something, that linked back to the broker. I started thinking about proving that your site was IPv6 accessible. I came up with some random seals of approval over at Says-It. Here are some of the first ideas I had come up with:
I made a quick and dirty Perl CGI that took a domain, ran some DNS queries against it, and spat out Yes/No for the results. Tests were AAAA record, MX with AAAA record, NS with AAAA record. Took this to the CEO and he liked it so much, it became the next project after we finished revamping the broker.
So Sam and I began working on the Certification Program. We only had 3 titles to start:
- Enthusiast: could browse IPv6 enabled websites
- Professional: could host IPv6 websites and email
- Guru: proven ability to create PTR records and had nameservers available over IPv6
It was a bit rough around the edges at first, but eventually matured to where the project met the requirements set out before us, and eventually other people in the company contributed some great code and fixed bugs. Although we never really worked out the “Organization” side of the program, the “Individual” side had taken off with great interest. I had even started toying with the idea of swag, like a mug!
Why it is important: Even though not accredited (since that would require fees, offline testing, etc.), the program absolutely helps people test their IPv6 configuration skills regarding Web Servers, Mail Servers, and DNS servers & records. The idea isn’t to spoon-feed users step-by-step instructions, but rather set them with a task or goal to accomplish. The first level of “Newbie” isn’t that challenging. Read some text about IPv6, and answer some questions about what you just read.
The first challenge is the “Explorer” rank. To get this, you need IPv6 connectivity from the machine you view the site from. This is “eyeball”, or end-user, connectivity; usually provided over some sort of tunnel when native isn’t available. What this proves is that either: you knew to set up a tunnel, or didn’t know that your NAT appliance was secretly using 6to4 and pushing out RAs for auto-configuration, or teredo was enabled on your Windows machine, or you have native IPv6.
The next step is where more configuration is done on the hosting, or “content”, side. Here you need to have gotten IPv6 connectivity configured and working on a machine that will serve webpages, and configured a AAAA record for that server’s hostname/FQDN. After you put up a file that the program fetches, you’ll be awarded the “Enthusiast” title.
The following rank is “Administrator”, which you get after associating a AAAA record with your MX, and having an email sent to an account at that domain with a code you paste back in on the site, confirming the test.
Setting up a working Reverse DNS entry (PTR record) is the next step to complete in order to be rewarded with the title of “Professional”. The PTR record you must create is for that MX record.
Originally “Guru” was the last stage in testing. This requires two things of the participant:
- nameservers with AAAA records
- bring able to query those nameservers over IPv6, on their IPv6 address, for the AAAA record of the FQDN submitted for the “Enthusiast” webserving test.
Once a user had passed those two steps, they were done. Then after some more tinkering, we decided to add one final stage of testing: IPv6 glue for your domain.
Obtaining “Sage” means your domain has IPv6 glue submitted by your registrar, to the TLD nameservers. There are two ways to really accomplish this: either properly with host records set at the registrar, or using out of bailiwick nameservers (like .cc domain records served by nameservers in .net).
So that is it. A brief history of the program I co-created, and how it is designed to test one’s mettle with IPv6 configurations.