Sudory

AAAA record

An AAAA record is the IPv6 version of an A record. Same job: map a hostname to an address. Different address family: 128 bits instead of 32.

Type code 28, defined in RFC 3596. The format is specified in RFC 4291. The IPv6 protocol itself is RFC 8200. All three are Internet Standards.

What it is

Same five fields as an A record, one new type:

example.com.  3600  IN  AAAA  2001:0db8:85a3::8a2e:0370:7334

Clients that have IPv6 connectivity will try this before the IPv4 address. Clients that do not will quietly ignore it.

The address

Address anatomy128 bits in 8 groups
full form
2001:0db8:85a3:0000:0000:8a2e:0370:7334
compressed with ::
2001:0db8:85a3::8a2e:0370:7334

:: fills in one run of zero groups. It can appear at most once per address.

three zones of meaning
routing prefix (48 bits)

assigned to your ISP, then to you

subnet (16 bits)

65,536 subnets per /48 allocation

interface ID (64 bits)

the host within the subnet

128 bits is 340 undecillion addresses. Every device on earth, every device that has ever existed, every device that could theoretically exist, gets its own. Address exhaustion was the reason for IPv6. The rest of the design (simpler header, no NAT, end-to-end routability) was the bonus.

Dual stack and Happy Eyeballs

Most public hosts publish both an A and an AAAA. Clients with IPv6 try it first, fall back to IPv4 if it fails. The algorithm is Happy Eyeballs (RFC 8305): race both, use whichever connects first.

Happy Eyeballs (RFC 8305)
DNS returns both
AAAA2001:0db8:85a3::7334
A93.184.216.34
client races both connections
IPv6
connected in 50ms
wins
IPv4
connected in 80ms (cancelled)
dropped
When IPv6 works, Happy Eyeballs picks it. The IPv4 attempt is cancelled as soon as IPv6 succeeds. Dual-stack is fast.

The toggle is the reason "broken IPv6 is worse than no IPv6." A client that tries IPv6 first and hits a timeout has to wait it out before falling back. Users see a slow page load for no reason. If you publish an AAAA, it must actually work.

Why bother

  • Mobile networks. Large mobile carriers are IPv6-first internally. Traffic going to an IPv4-only server is translated through NAT64 and CGNAT, which adds latency and costs the carrier money.
  • Corporate networks. Microsoft 365, Google Workspace, and modern CDNs all speak IPv6. A service without AAAA is the odd one out.
  • Signal to operators. A vendor without an AAAA on its main site in 2026 is telling you something about its operational posture, same way no HTTPS told you something in 2015.

Getting AAAA is usually one checkbox in your hosting provider (Cloudflare, Vercel, Netlify, Fly.io, AWS, GCP, Azure). All of them turn it on by default for new deployments.

Common mistakes

AAAA that does not actually work

The record exists. The server is not reachable on IPv6 (firewall drops packets, no binding, wrong address). Clients hit the timeout before falling back. Measurable latency cost.

AAAA to a link-local or ULA address

fe80:: is link-local, fc00::/7 is unique local (the IPv6 equivalent of RFC 1918). Neither routes on the public internet. Usually a misconfigured internal DNS leaking out.

A on apex, AAAA missing on www (or vice versa)

Partial dual-stack. Mobile clients get mixed behaviour depending on which hostname they hit. Publish both records on both names.

firewall blocks ICMPv6

IPv6 relies on ICMPv6 for Path MTU Discovery. Blocking it silently breaks connections for clients on smaller MTU paths. Allow ICMPv6 even when you drop other ICMP.

allowlisting only IPv4

Your firewall allows 1.2.3.4. The service now publishes an AAAA and clients arrive from a 2001:db8:: address. The allowlist does not match. Include IPv6 CIDRs.

Check whether your domain is dual-stack, whether the IPv6 actually connects, and what provider the prefix belongs to: scan your domain.