tjeske, the terminology in my Netgear D6400 router "6to4 Tunnel" settings is "6to4."  Also, I do not know what you mean by my router terminating the tunnel - please be more specific.  Finally, you will need to inform me regarding protocol 41 ( I know that it is not referring to port 41, though ).  Thank you. 

What do you mean "6to4"? HE uses "6in4", not "6to4".

And what do you mean you have configured it in Netgear D6400 router? Is this router capable of terminating the tunnel? If yes, then you don't need to paste anything in the Windows command prompt window. If no, then you need to forward protocol 41 (_not_ port 41!) to your PC where you enter the commands.

My connections through tserv13.ash1 go silent for minutes at a time, long enough to stop ssh with 400s timeouts.  During this nothing on v6 (outside my local network) pings (even www.he.net), the tunnel's v4 address does ping pretty much at all times through these outages.  This appears to happen fairly regularly, different times around hourly or a bit more often.  Possibly could be my router, though I have another tacked-up vpn (vti, though) that keeps up through these and doesn't seem to go bad.  I could switch to New York (adds 15ms or so) but don't want to change addresses if possible.
Is the server maybe running out of RAM or maybe a bad interface on a LAG?  I presume this doesn't hit everyone or I would have seen notes here already.

Actually wish VZ would get with the program and offer native V6 for business fios...  (some residential accounts have it already).  About once a month for several years now I listen for RADV packets and never see any :-(, and once in a while try configure dhcp-pd to no avail either. And of course when I call tech support they say "what's that" about ipv6.

-- Pete

Update: I am able to ping my He.net 6to4 tunnel IP address ( i.e., "2001:470:4:6a3::2" ) from the Microsoft Windows 10 ( Home ) Edition command prompt, as shown in the attachment, below.  Any suggestions? 

Running Microsoft Windows 10 ( Home ) Edition, Build 1903.  I followed the steps to cut and paste 6to4 tunnel commands in the command window, initially using the IPv4 address provided to the broker.  The response was okay.  6to4 tunnel is configured in Netgear D6400 router.  When I ping my He.net tunnel IPv6 address ( i.e., "2001:470:4:6a3::2" ), using the He.net "Looking Glass" link, the command times out.  Why is this happening? 

Thank you again. I'll check it out.

I do not know of any service that offers a hidden DNS primary.

I do know that the registrar I use (gkg.net) offers free DNS (including DNSSEC which is enabled via a single checkbox.  gkg.net takes care of all the signing details.) for domains that are registered there.  Maybe something like that is more what you need.   I use gkg.net for three of my domains and have been very pleased with them.

 

Thank you for the detailed explanation. I am not a very technical person in terms of Web and DNS servers, so my understanding is limited on this topic. What I understood is that I cannot avail DNSSEC with my current setup at HE. I'd need a middleman (a hidden DNS server that acts as primary) that generates required zones/DS keys using openDNSSEC and transfers them to HE (which will be my secondary DNS then).

Is it possible to get a hidden DNS server for free online? Or is it something that one needs to setup at home or subscribe to a paid service?

he.net's DNS service has support to function as a secondary DNSSEC DNS server.  It cannot act as a primary DNSSEC DNS server, i.e., he.net's DNS service cannot sign zones.  You have to have your sign the zones and then transfer the signed zones to he.net's secondary DNS service.

In a nutshell, here's how I do it...

Have a "hidden primary" DNS server, i.e. it is not public.  On that hidden primary DNS server, I run OpenDNSSEC to sign the zones and NSD to act as  the transfer agent.

When OpenDNSSEC signs a zone, it triggers a script that loads the newly-signed zone into NSD.  NSD then contacts the secondary server at he.net, and the secondary server initiates a zone transfer of the newly signed zone from NSD to he.net.

Also, in answer to your comment, OpenDNSSEC generates the DS keys, which I then insert into my registrar's interface.

I need to note that the DNSSEC at he.net does not support all DNSSEC records, but it does support all the ones I need. 

From what I understood, HE does not support DNSSEC yet, but please correct me if I am wrong.

My question is: My domain registrar supports DNSSEC. HE is my DNS provider. If I understand correctly, I need to obtain DS keys from HE and enter them in my registrar interface. Is this currently possible?