MGv6C-1.0 National release draft

MGv6C Standard

Malaysian Government IPv6 Compliance (MGv6C)

This page defines what MGv6C tests, why it tests it, how scoring works, what evidence is produced and how results remain suitable for repeatable audit. MGv6C-1.0 is aligned to the existing report output and does not require any changes to the current report format.

Test Your Domain How It Works →

Standard Information

Standard ID
MGv6C-1.0
Edition
Website edition
Published
2026-03-06 (UTC)
Control Set
Report Aligned

Contents

1. Purpose 2. Scope 3. Standards Alignment 4. Terms and Definitions 5. Conformance Outcomes 6. Assessment Method 7. Scoring Model 8. Control Catalogue 9. Diagnostic Indicators 10. Evidence Requirements 11. Reporting Requirements 12. Data Protection 13. Versioning 14. Interpretation Notes 15. FAQ
1

Purpose

MGv6C provides a national method to assess whether Malaysian Government services remain usable when users connect over IPv6. It focuses on external service readiness that can be measured objectively without requiring internal access.

Confirm IPv6 reachability for public services
Confirm dual-stack readiness during transition
Validate DNS operation over IPv6 and DNS integrity signals through DNSSEC
Confirm secure transport for web access over IPv6
Confirm email service readiness over IPv6 with baseline anti-spoofing checks
Generate evidence artefacts suitable for audit review
2

Scope

In-Scope Targets

  • Public websites and web applications
  • Public APIs delivered over HTTP/HTTPS
  • Authoritative DNS for the domain zone
  • Email delivery infrastructure

In-Scope Outcomes

  • Reachability over IPv6 and IPv4
  • IPv6-only reachability outcome
  • DNS and DNSSEC validation
  • TLS certificate validity for IPv6
  • Email transport readiness over IPv6
  • Email authentication signals (SPF, DMARC)
  • Evidence package for pass/fail justification

Out of Scope

  • Internal network design and internal-only services
  • Application vulnerability scanning beyond transport and DNS integrity
  • Penetration testing and content security assessment
3

Standards Alignment

MGv6C controls are mapped to recognised global standards. The control set is limited to what the current report measures while aligning rationale to international references.

Core IPv6 Reachability & Addressing

  • IETF IPv6 protocol specification (RFC 8200)
  • IETF Default address selection behaviour (RFC 6724)
  • IETF Dual-stack connection behaviour (RFC 8305)

DNS Integrity & DNSSEC

  • IETF DNSSEC requirements and architecture (RFC 4033)
  • IETF DNSSEC resource records (RFC 4034)
  • IETF DNSSEC protocol behaviour (RFC 4035)

Web Transport Security

  • IETF Recommendations for secure TLS deployment (RFC 7525)
  • IETF TLS 1.3 specification (RFC 8446)

Email Transport & Authentication

  • IETF SMTP transport (RFC 5321)
  • IETF SPF (RFC 7208), DKIM (RFC 6376), DMARC (RFC 7489)

Governance & Quality Foundations

  • ISO ISMS governance and control principles (ISO/IEC 27001)
  • ISO Quality model dimensions: reliability and security (ISO/IEC 25010)
  • ITU Performance parameter definitions for IP services (ITU-T Y.1540)

MGv6C references justify the existence of each control and guide interpretation during audit. MGv6C-1.0 uses the existing report control set and scoring.

4

Terms and Definitions

Assessed domain
A domain name under assessment including its public service hostnames and its authoritative DNS zone.
Primary service hostname
The hostname selected for the web test, typically the domain root or a declared primary web entry point.
Dual stack
A service that supports IPv4 and IPv6 concurrently.
IPv6-only reachability
A test outcome indicating the service is reachable when IPv4 connectivity is unavailable. This requires an IPv6-only test environment or equivalent enforcement.
Validating resolver
A DNS resolver that performs DNSSEC validation and reports the validation status.
Evidence artefact
A stored record supporting a control outcome, such as DNS responses, TLS certificate details or connection transcripts.
Scored control
A control that affects the MGv6C score.
Diagnostic indicator
A test output shown for transparency that does not affect the score.
5

Conformance Outcomes

MGv6C uses the same human-readable outcomes as the report. The score is a weighted percentage from 0 to 100.

Fully IPv6 Ready
Score 90 – 100
Partial Support
Score 60 – 89
No IPv6 Support
Score 0 – 59
6

Assessment Method and Test Environments

6.1 Non-Destructive Testing

MGv6C tests MUST be non-destructive and MUST avoid generating excessive traffic. Implementations SHOULD apply rate limits and sensible timeouts.

6.2 Network Environments

MGv6C recognises two execution contexts:

  • Dual stack — IPv4 and IPv6 available
  • IPv6 only — IPv4 unavailable

6.3 Determinism & Repeatability

Implementations SHOULD:

  • Use consistent resolver configuration
  • Store raw outputs for verification
  • Record test time and observed addresses
  • Record measured endpoint and port
7

Scoring Model

MGv6C scoring is fixed to match the current report format.

7.1 Category Weights (Fixed)

35%
Web Services
8 scored checks
25%
DNS & DNSSEC
5 scored checks
25%
Email Services
6 scored checks
15%
IPv4 Baseline
3 scored checks

7.3 Score Calculation

For each category:

CategoryRatio  = PassedScoredChecks / TotalScoredChecks
CategoryPoints = CategoryWeight × CategoryRatio

Overall MGv6C Score:

MGv6C Score = sum of all CategoryPoints (rounded to whole percent)

Worked example

If DNS & DNSSEC is 4/5 then DNS contribution is 25% × 0.8 = 20%. If all other categories are perfect then total becomes 95%.

INFO items and diagnostic indicators do not affect scoring.

8

Control Catalogue (Scored Controls)

This section defines the scored controls exactly as they appear in the report. Each control includes what is tested, why it matters, pass criteria, and the evidence expected.

Category A: Web Services

35% · 8 controls
A1

AAAA Record

What: Verify the service hostname publishes an IPv6 address (AAAA).
Why: IPv6 reachability requires AAAA publication for IPv6 clients.
Pass: At least one AAAA record is returned.
Evidence: Resolver response showing AAAA answer.
A2

Globally Routable IPv6

What: Verify the IPv6 address is publicly routable.
Why: Reserved or non-routable addressing cannot serve public users.
Pass: IPv6 address is global unicast and routable.
Evidence: Address list and classification result.
A3

HTTP over IPv6

What: Verify TCP port 80 responds over IPv6 and returns HTTP response.
Why: Confirms baseline IPv6 transport reachability.
Pass: IPv6 connection succeeds and HTTP response is returned.
Evidence: Destination IPv6 address, port, status line and timing summary.
A4

HTTPS over IPv6

What: Verify TCP port 443 responds over IPv6 and returns HTTPS response.
Why: Public services should be reachable securely over IPv6.
Pass: IPv6 connection succeeds and HTTPS response is returned.
Evidence: Destination IPv6 address, port, status line and timing summary.
A5

IPv6-Only Reachability

What: Verify the service is reachable in an IPv6-only context.
Why: Ensures users in IPv6-only networks can still access services.
Pass: Service is fully reachable via IPv6 only as reported.
Evidence: IPv6-only reachability result plus connection logs.
A6

TLS Certificate Valid (IPv6)

What: Validate certificate presented over IPv6 for correctness and validity.
Why: Prevents invalid or expired certificates over IPv6 paths.
Pass: Certificate is valid for hostname and within validity period.
Evidence: Certificate subject, issuer, expiry and validation outcome.
A7

Dual-Stack (IPv4 + IPv6)

What: Verify A and AAAA exist indicating dual-stack publication.
Why: Dual stack supports transition while IPv4 remains widely used.
Pass: Both A and AAAA records exist.
Evidence: DNS answers for A and AAAA.
A8

HTTP/3 (QUIC)

What: Detect HTTP/3 availability signal (Alt-Svc h3).
Why: Indicates modern transport support and may improve performance.
Pass: HTTP/3 availability is detected as reported.
Evidence: Response header evidence showing HTTP/3 signal.

Category B: DNS & DNSSEC

25% · 5 controls
B1

NS Has AAAA Record

What: Verify authoritative nameservers publish IPv6 addresses.
Why: Enables authoritative DNS to be reachable over IPv6.
Pass: Nameserver has IPv6 address.
Evidence: AAAA responses for NS hostnames.
B2

NS Reachable via IPv6

What: Verify authoritative nameservers are reachable over IPv6 on port 53.
Why: DNS availability depends on reachability.
Pass: Nameserver reachable via IPv6 on port 53.
Evidence: Query attempt logs showing success over IPv6.
B3

NS Answers Queries via IPv6

What: Verify authoritative nameservers respond to DNS queries over IPv6.
Why: Confirms functional authoritative service over IPv6.
Pass: DNS queries answered over IPv6.
Evidence: Query transcripts and response flags.
B4

DNSSEC Validated

What: Verify DNSSEC validation status for the zone.
Why: DNSSEC provides integrity and authenticity for DNS answers.
Pass: DNSSEC validation succeeds as reported.
Evidence: Validation result output and reason if failed.
B5

Reverse DNS (PTR)

What: Verify PTR existence for relevant published addresses.
Why: PTR supports traceability and operational reputation.
Pass: PTR record found as reported.
Evidence: PTR query result for the tested address.

Category C: Email Services

25% · 6 controls
C1

MX Record Exists

What: Verify the domain publishes MX records.
Why: Required for inbound mail routing.
Pass: MX record found.
Evidence: MX response.
C2

MX Server Has IPv6

What: Verify mail server publishes IPv6 address.
Why: Enables mail delivery via IPv6.
Pass: MX server has AAAA record.
Evidence: MX AAAA response.
C3

SMTP Reachable via IPv6

What: Verify TCP port 25 responds over IPv6.
Why: Confirms mail transport reachability over IPv6.
Pass: SMTP port 25 responds over IPv6.
Evidence: Connection log and SMTP banner.
C4

STARTTLS over IPv6

What: Verify STARTTLS is supported over IPv6.
Why: Improves confidentiality for email transport.
Pass: STARTTLS supported over IPv6.
Evidence: SMTP transcript showing STARTTLS support.
C5

SPF Record

What: Verify SPF record exists.
Why: Reduces spoofing risk for the domain.
Pass: SPF record found.
Evidence: TXT record containing SPF.
C6

DMARC Record

What: Verify DMARC record exists.
Why: Enables policy and reporting for mail authentication failures.
Pass: DMARC record found.
Evidence: _dmarc TXT record.

Category D: IPv4 Baseline

15% · 3 controls
D1

A Record

What: Verify the service hostname publishes an IPv4 address.
Why: IPv4 baseline remains relevant during transition.
Pass: A record exists.
Evidence: DNS A response.
D2

HTTP over IPv4

What: Verify TCP port 80 responds over IPv4.
Why: Confirms IPv4 service remains reachable.
Pass: HTTP responds over IPv4.
Evidence: Destination IPv4 address, port, status line and timing.
D3

HTTPS over IPv4

What: Verify TCP port 443 responds over IPv4.
Why: Confirms secure IPv4 baseline.
Pass: HTTPS responds over IPv4.
Evidence: Destination IPv4 address, port, status line and timing.
9

Diagnostic Indicators (Not Scored)

These items are displayed for transparency but do not affect the category score.

DNS & DNSSEC

  • Info DS Record at Parent
  • Info RRSIG Valid
  • Info Signing Algorithm

Email Services

  • Info DKIM Selector

Network Information

  • Info WHOIS/RDAP org, ASN, country, prefix

These items are useful for troubleshooting and remediation but are not counted in the scored ratio for that category in MGv6C-1.0.

10

Evidence Requirements

MGv6C assessments MUST produce evidence sufficient to justify each scored control outcome.

Minimum Evidence Set (Recommended)

  • Raw DNS answers for A, AAAA, NS and MX
  • DNSSEC validation outcome including failure reason when relevant
  • Connection evidence for HTTP and HTTPS over IPv4 and IPv6 including port
  • TLS certificate summary for IPv6 certificate validity
  • SMTP reachability evidence over IPv6 including STARTTLS outcome
  • Timestamp of test generation and assessed domain identity

Evidence should be stored in a manner that allows an auditor to review outcomes without re-running tests.

11

Reporting Requirements

Report Contents

  • Assessed domain and display hostname
  • Category weights and category pass counts
  • MGv6C score and label outcome
  • Per-control result (pass/fail or info)
  • Key observed IPv4 and IPv6 addresses
  • Optional RDAP summary for context
  • Test generation timestamp

Machine-Readable Output

A JSON representation of the same results is recommended to enable national dashboards.

JSON should include category weights, passed and total counts, plus outcomes.

12

Data Protection and Safe Testing

Data Minimisation

MGv6C evidence focuses on protocol-level artefacts. Avoid collecting unnecessary personal data.

Safe Testing

  • Tests should be rate limited
  • Timeouts should be applied
  • Only standard protocol handshakes

Integrity Protection

  • Evidence storage should be access controlled
  • Evidence should be protected from tampering
13

Versioning and Change Control

MGv6C MUST publish:

  • Standard version number
  • Publication date
  • Control set description
  • Change log for any future revisions

MGv6C-1.0 Change Policy

No changes are required to the existing report format. Any future MGv6C version that changes scoring MUST publish migration notes.

14

Interpretation Notes

1) Why DNSSEC can fail while other DNS items pass

DNS transport reachability can succeed even if DNSSEC is unsigned or chain of trust is incomplete. MGv6C scores DNSSEC validation explicitly via B4.

2) Why PTR is scored in DNS & DNSSEC

PTR improves traceability and operational hygiene. It is scored in MGv6C-1.0 because the current report scores it.

3) What "INFO" means

INFO items are diagnostic. They are displayed but do not affect scoring.

4) Why HTTP/3 is scored

MGv6C-1.0 follows the report which includes HTTP/3 in the Web Services scored list. Future versions may adjust but MGv6C-1.0 keeps it unchanged.

15

Frequently Asked Questions

Does MGv6C-1.0 require changing the current report?

No. MGv6C-1.0 is defined to match the current report structure and scoring.

Is MGv6C only for government domains?

The standard is published for Malaysian Government compliance but the tool may be used to assess any domain. Official compliance interpretation applies to in-scope government services.

What does "Fully IPv6 Ready" mean?

It means the MGv6C score is 90 to 100 based on the fixed weighted scoring model and the scored controls.

Can a domain be "Fully IPv6 Ready" while DNSSEC fails?

Yes. DNSSEC is one scored control within DNS & DNSSEC. A failure reduces the DNS category ratio which reduces the final score but may still remain above 90 depending on other results.