Unless he means EDNS for dnssec lookups, and not transfers, thats UDP....

The problem I had in the past was zone transfer to dns.he.net.
I am running master dns with Windows Server 2008 R2 and dns.he.net as slaves. The zone never gets updated without setting MTU=1280 on the router LAN interface (where the master DNS is). Wireshark on the master server shows that for every axfr attempt after tcp handshake and I get a ICMPv6 packet too large(payload was like 1292) for the axfr response, MTU recommended 1280. But the packet resent is exactly the same as the original, but this time I don't see ICMPv6 Packet Too Big. Unless Wireshark is doing something wrong, I don't get why PMTUD didn't change MTU and why I didn't see ICMPv6 Packet Too Big this time... I remember Wiresharking complanting something about packet size exceeding capture limit tho.
That's what gets me confused.

modifying MSS can be done with ip6tables? Does it have a big performance impact on the router (say like 20000 concurrent connections)?

I set up the sit tunnel on RouterOS with the default /64 and advertise the a /64 from the /48 assignment on the LAN. I set MTU on the LAN to 1280. Local ipv6 traffic can have a higher MTU. Without LAN MTU 1280, I see ICMPv6 packet too large occasionally and it seems to cause issues with DNS zone transfer(payload length higher than 1280). I don't think it should cause connectivity issues since ICMPv6 is not being filtered, but it might cause delay and break some poor implementations?
What's the best MTU setting in this kind of scenario? Thanks.

Is there a timeframe?
Currently does it support slave DNS server with DNSSEC?
thanks

Thanks for the info.

I guess I guess doing it without BGP is possible but kinda messy. I do have multiple public IPs but the tunnels can't share the same prefix. I hate to get NAT involved...
I can maybe give two ipv6 addresses to each client but that increases the work on client/dns configuration. I should get my ASN and prefix someday....

If I have one ipv4 addresses, can I set up multiple 6in4 tunnels to different tunnel servers for redundancy? Currently tunnelbroker doesn't allow multiple tunnels created to the same ip. Isn't it technically possible to have multiple tunnels to the same endpoint IP?
I would like my router to be associated with more than 1 6in4 relay servers. Can I do it without a public ASN?

Have you tried going to the advanced tab and delete the automatically generated reverse zone? I am not sure if it will be regenerated when you edit tunnel settings. I changed the first rDNS to my own DNS.

try this one
http://www.dnskey.net/Main.html

I guess this is probably to prevent abuse...
EDNS can be used for reflection DDos attacks

wget --no-check-certificate

Code:

Resolving ipv4.tunnelbroker.net (ipv4.tunnelbroker.net)... 64.62.200.2
Connecting to ipv4.tunnelbroker.net (ipv4.tunnelbroker.net)|64.62.200.2|:443... connected.
WARNING: cannot verify ipv4.tunnelbroker.net's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435':
  Self-signed certificate encountered.
WARNING: certificate common name `tunnelbroker.net' doesn't match requested host name `ipv4.tunnelbroker.net'.
HTTP request sent, awaiting response... 401 Unauthorized
Connecting to ipv4.tunnelbroker.net (ipv4.tunnelbroker.net)|64.62.200.2|:443... connected.
WARNING: cannot verify ipv4.tunnelbroker.net's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435':
  Self-signed certificate encountered.
WARNING: certificate common name `tunnelbroker.net' doesn't match requested host name `ipv4.tunnelbroker.net'.
HTTP request sent, awaiting response... 200 OK

Why do I get a 401 on the first attempt? Why isn't my wget trust the wildcard cert for ipv4.tunnelbroker.net?

Are you experiencing any issues other than ping? The router in your traceroute is likely to deprioritize ICMP replies

I want to get IPv6 on several computers but only have one public IP. My router uses DDWRT but the build doesn't support IPv6(someone removed it due to the size of flash). If it has IPv6 support I guess I can set up the tunnel and enable DHCPv6. But what can I do without IPv6 support on the router?
Right now I have the tunnel up on a computer behind NAT. dunno how to bring IPv6 to other computers.  My ISP doesn't provide more than 1 ip address.

problem solved... as long as the tunnel is up, the NAT is transparent(can be ignored)
The problem is caused by access control settings in the mail server and auto-ban(hmailserver)....... It took me like 2 hours to find out my own ip has been banned.....

I successfully set up the tunnel and now I can open ipv6 websites. I set up a website in IIS7 but it seems nobody else can access the site.
The way I did it is create an AAAA record to my ipv6 client address and then I can open the website with the domain, but Google webmaster tools(verfication) can't.
I don't think it has anything to do with NAT anymore since the tunnel is already up. The router is running DD-WRT v24-sp2 and I didn't change any settings on the router for IPv6. I don't this build has IPv6 support.

Edit:
Interesting, I can load the page with an ipv6 proxy. http://www.ipv6proxy.net, but still Google webmaster tools and HE certification Enthusiast level can't load the test pages...
I am pretty sure it works cuz I can see it it both my own ip and the ip of the proxy server in IIS log. So why those 2 tests fail(seems like a DNS error, doesn't send GET request to the server at all)>? The domain is AAAA.ranceyu.com
test pages
/pevk8y8d7d.txt
/google9560042168ddb69a.html

the client ip address HE gave me is Client IPv6 Address:2001:abc:d:efgh::2/64
I can use 2001:abc:d:efgh::3/64, 2001:abc:d:efgh::4/64 for my additional devices?

I am talking about adding a dns server to the client.

netsh interface ipv6 set dnsserver name=”IP6Tunnel“ static 2001:470:20::2
netsh interface ipv6 add dnsserver ”IP6Tunnel“ 2001:4860:4860::8888 Index=2
netsh interface ipv6 add dnsserver ”IP6Tunnel“ 2001:4860:4860::8844 Index=3

I guess this is how to add dns servers?

I have only one public ip and want to get two computers behind NAT ipv6tunnel. One computer works just fine but the second one won't work... Tunnel connected but ping times out.

I guess that's because the two computers have the same ipv6 address.

How can I add dns to IP6Tunnel interface... I did it before but dont remember how now...
Thanks