Suddenly cert problem

For IPv6, every device on your network has a globally unique address. To enable it on your server, you should make sure apache is bound to :: then open access from 80 and 443 through your firewall on the server and the firewall on your router

I got that every device has an unique global address. And with your explanation, I think I slowly understand the main difference between v4 and v6: v4 has limited addresses and therefor, the dyndns v4 has it´s own address on the router external. For v6, the routers dyndns client connects to the dyndns server - and the forwarding is done idependently for each device behind the router. That’s how my brain explains the situation.

The only missing thing is: Both my dyndns and my router do support both v4 and v6. As an earlier answer was that I client connecting to my net is deciding which version to take. Is there an easy answer on which basis this decision is taken? I may think of the possibilities of the client/device. As far as I know, mobile devices still rely on v4, so this will still be here for quite some years.

Anyhow, it would be nice if anyone could fill the holes in my brain concerning the subject.
Beside: I thank everyone to help me in understanding this. I really appreciate your help.

Hi @Khymick,

The behavior of every client is somewhat different. Some web browsers use a fallback mechanism

where they are willing to fall back to IPv4 if IPv6 appears not to work. The fallback behavior may depend on the layer at which the connection failed.

The Let’s Encrypt CA has its own fallback method, which definitely depends upon the layer at which the connection failed. It starts with IPv6 and will in some cases fall back to IPv4 if the IPv6 connection doesn’t work.

In principle there are also many systems that are IPv6-only or IPv4-only. Also with some models of carrier-grade NAT

the client’s ISP is essentially making this decision for it.

Some tools allow the user to explicitly specify one protocol or the other; for example, a number of Unix command-line networking tools allow specifying -4 for IPv4-only and -6 for IPv6-only (e.g. curl -4 or ssh -6). The default behavior of these tools may otherwise be “use v6 if advertised (with no fallback to v4); use v4 if v4 isn’t advertised”.

The Happy Eyeballs behavior or something similar to it is the most commonly implemented behavior for desktop web browsers that know that they are on a dual-stack network.

1 Like

@schoen: Thanks a lot for your reply. It help a lot to understand a little bit more.

What I did is to delete the entry in the “IPv6 (optional)” field of my dyndns (see screenshot). Now, I cannot ping my address with “ping -6 khymon.homelinux.net” anymore. But what is the correct way to get an IPv6/AAAA record for this? Shouldn´t this be automatically done by the dyndns service?

Sure, it should be automatic.

If @JuergenAuer and @ski192man are right about there not being any IPv6 NAT (port forwarding) in your scenario, then it would be more correct to keep the IPv6 DynDNS disabled for your domain - since you don’t want it pointing it to your router’s IPv6 address.

Instead, you would configure your Linux server to automatically acquire a global IPv6 address via your ISP, and then you would set the AAAA record for your domain to that address.

That would leave you with a functional IPv6 setup for your webserver, I think.

I don’t know if it is possible to use a home ipv6 with a webserver.

I use outgoing ipv6. But incoming ipv6 -> only with servers in a data center, so the ipv6 address is fixed.

There are some incoming ipv6 systems with a FritzBox and something like a DynDNS randomname.myfritz.net and a special port.

Then acts a FritzBox DNS server as DynDNS and is able to change the ipv6 address if the ISP sends a new address (happens sometimes).

But your DynDNS doesn’t know something about your router.