feat(web-arm): inbound IPv6 bulk rollout — sibling AAAA for all web-arm domains #83

New issue

Open

opened 2026-06-03 15:34:24 +02:00 by dominik.polakovics · 0 comments

dominik.polakovics commented

2026-06-03 15:34:24 +02:00

Owner

What to build

Dual-stack the rest of the web-arm fleet: for every domain that currently resolves to 188.34.191.144, add a sibling AAAA -> 2a01:4f8:c012:43b::1 in its DNS zone. Most zones are on Hetzner DNS; at least scana11y.com is on Cloudflare (DNS-only, real origin). www.* CNAMEs inherit automatically.

Explicitly exclude domains that have a sites/*.nix file on web-arm but point elsewhere in DNS — e.g. dialog-relations.at resolves to IONOS (217.160.0.175) with its own IPv6. The DNS A record (= 188.34.191.144), not the presence of a site file, is the source of truth for what web-arm actually serves.

Note: CNAME is not a shortcut here — most of these are apex domains where CNAME is illegal, and Hetzner DNS has no ALIAS/ANAME flattening. Add a sibling AAAA next to each existing A, the same shape as the current IPv4 records.

Acceptance criteria

Every domain resolving to 188.34.191.144 has a matching AAAA = 2a01:4f8:c012:43b::1
Domains pointing elsewhere (e.g. dialog-relations.at) are left untouched
Spot-check passes: several apex + subdomain sites load over IPv6 with valid certs, across both Hetzner DNS and Cloudflare
The list of domains touched is recorded (in this issue or a repo note)

Blocked by

#82 — the inbound pilot must verify the end-to-end v6 path first

## What to build Dual-stack the rest of the web-arm fleet: for every domain that currently resolves to `188.34.191.144`, add a sibling AAAA `-> 2a01:4f8:c012:43b::1` in its DNS zone. Most zones are on Hetzner DNS; at least `scana11y.com` is on Cloudflare (DNS-only, real origin). `www.*` CNAMEs inherit automatically. Explicitly **exclude** domains that have a `sites/*.nix` file on web-arm but point elsewhere in DNS — e.g. `dialog-relations.at` resolves to IONOS (`217.160.0.175`) with its own IPv6. The DNS `A` record (`= 188.34.191.144`), not the presence of a site file, is the source of truth for what web-arm actually serves. Note: CNAME is not a shortcut here — most of these are apex domains where CNAME is illegal, and Hetzner DNS has no ALIAS/ANAME flattening. Add a sibling AAAA next to each existing A, the same shape as the current IPv4 records. ## Acceptance criteria - [ ] Every domain resolving to `188.34.191.144` has a matching AAAA `= 2a01:4f8:c012:43b::1` - [ ] Domains pointing elsewhere (e.g. `dialog-relations.at`) are left untouched - [ ] Spot-check passes: several apex + subdomain sites load over IPv6 with valid certs, across both Hetzner DNS and Cloudflare - [ ] The list of domains touched is recorded (in this issue or a repo note) ## Blocked by - #82 — the inbound pilot must verify the end-to-end v6 path first

dominik.polakovics added the

needs-triage

label

2026-06-03 15:34:24 +02:00

dominik.polakovics referenced this issue

2026-06-03 16:16:50 +02:00

feat(web-arm): static IPv6 address, route, and Postfix v4-pin #81

dominik.polakovics referenced this issue

2026-06-03 16:23:23 +02:00

feat(web-arm): static outbound IPv6 with Postfix pinned to IPv4 #84

dominik.polakovics referenced this issue

2026-06-05 11:22:56 +02:00