On 01/12/14 18:49, Michael Gorbach wrote: > On Nov 30, 2014, at 11:17 AM, Simon Kelley <si...@thekelleys.org.uk> > wrote: >> >> On 29/11/14 19:18, Michael Gorbach wrote: >>> Hi All, >>> >>> I've got a question and potential enhancement request. It looks >>> like right now, the (very useful) interface-name feature pulls >>> all (global) addresses from the interface. One of my machines >>> uses IPv6 privacy extensions (known in Linux as use_tempaddr), >>> which means that in addition to link-local and permanent global >>> addresses, it has a rotating cast of ~ 5 temporary addresses. I >>> suggest that dnsmasq should detect those temporary addresses and >>> not return them for queries that would otherwise hit >>> interface-name. Returning them as it does now means > 5 AAAA >>> records for a single name, which causes repeated confusion due to >>> things like SSH warning about an unknown host because it has >>> suddenly picked a previously-unknown temporary address to connect >>> to. Thoughts? >>> >> >> Sounds like a sensible suggestion. This facility was added before I >> was really familiar with IPv6 and all its extra complications. Most >> of those 5 temporary addresses will be "deprecated" ie hanging >> around for the use of existing connections, but not used for new >> ones. They definitely shouldn't appear, but I'm pretty convinced, >> unless anyone can come up with a good reason why not, that all >> privacy addresses should be elided, without exception. >> >> I wonder, though, if that's only true for forward (ie AAAA) >> lookups. Should a reverse lookup on an old privacy address still >> yield the name of the host it belongs to? > > Thanks, Simon. I’d agree that all the temporary addresses should be > skipped in forward resolution. In terms of reverse, I’d say there’s a > high amount of value in having at least the current temporary address > resolve to the correct host name. Temporary addresses are often > preferred for outbound connections, so if we don’t have reverse > resolution here then for example SSH is going to complain that it > can’t check reverse DNS. There’s probably some value in reverse > resolution for deprecated temporary addresses, for example if you > wanted to track down some client in your system logs from several > days ago, but it’s significantly lower. If that’s a large amount of > work, to me it’s something that wouldn’t be top-priority.
Since all the addresses - permanent, current privacy, and deprecated privacy - are there now, it's just a question of filtering them, with a bit of extra complication to do it differently for forward and reverse queries. I think I've convinced myself that this won't bite anyone if we make it a simple change-of-behaviour, rather than some new configuration option to request this behaviour. I'd feel more confident if others had a think about it and convinced themselves too. Cheers, Simon. > > Yours, ~ M. > >> >> >> >> Cheers, >> >> Simon. >> >> >> _______________________________________________ Dnsmasq-discuss >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss> _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
