Introduction

A site can appear mostly healthy while still breaking for users whose networks prefer IPv6. That happens when the A record points to the correct server but the AAAA record still targets an old host, a different service, or a server that is not actually listening for the site. The fix is to treat IPv4 and IPv6 as equal production paths and verify they both terminate on the intended origin.

Symptoms

  • Some users can reach the site while others time out or land on the wrong content
  • IPv4 tests succeed but IPv6 tests fail
  • SSL or routing problems appear only on networks with working IPv6
  • The issue started after a migration, load balancer change, or DNS cleanup
  • One hostname fails while another on the same zone still works

Common Causes

  • The AAAA record still points to an old server after migration
  • IPv6 was enabled in DNS before the origin or load balancer was ready
  • The IPv6 listener serves a different virtual host or certificate than IPv4
  • A CDN or proxy configuration was updated for IPv4 but not for IPv6
  • DNS records were copied from a template without verifying the actual IPv6 target

Step-by-Step Fix

  1. Query the affected hostname for both A and AAAA records so you can compare IPv4 and IPv6 destinations directly.
  2. Test the site over IPv6 specifically to confirm whether the failure follows the AAAA record path.
  3. Verify the current AAAA record points to the correct live server, proxy, or load balancer for that hostname.
  4. Check that the target actually listens on IPv6 and serves the expected site, certificate, and backend routing.
  5. If the origin is not ready for IPv6, remove or disable the AAAA record rather than leaving a broken path active.
  6. Re-test from multiple resolvers and networks after updating the authoritative record.
  7. Compare behavior for apex, www, and any API or admin hostnames that may have separate AAAA records.
  8. Clear up stale DNS templates or deployment notes that could reintroduce the wrong IPv6 target later.
  9. Keep IPv6 validation in normal cutover checks so future migrations do not silently break part of your audience.