Re: [Dnsmasq-discuss] Network booting with stateful IPv6 addressing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I'm slightly confused as to the problem here. The identity of a lease if defined by the Client-ID and IAID, if those change then dnsmasq will allocate a new address. That means that your boot process will go through three different addresses, but should end up with a usable and stable address. It's not as if there is a shortage of IPv6 addresses, you can afford a couple of disposable addresses that only get used during the boot. What have I missed? Cheers, Simon. On 27/02/17 16:04, Derek Higgins wrote: > I've recently been trying to use dnsmasq IPv6 to network boot, > after a number of hurdles the last problem I've been having is that > during the boot process (after dnsmasq initially hands out an IP > address as part of PXE boot), it starts responding with "no > addresses available". > > The problem I'm hitting is that the IAID and the ClientID in the > dhcp request changes during the process, - the IAID being used in > PXE generated by the OVMF UEFI firmware is a function including a > time based seed[1] - this chain loads(in my case) to an iPXE image > that is using a crc of the mac address to generate the IAID[2], - > dhclient on the OS then uses the last 4 octets of the MAC address > for the IAID[3] > > I have similar problems with ClientID but I havn't looked into them > in as much detail > > check_address in dnsmasq/src/rfc3315.c is asserting that the ID's > can't change, and the only way I've gotten the boot process to > work locally is to comment out the checks in check_address > > As best I can see RFC 3315 does say that the IAID MUST remain > consistent across restarts of the DHCP client, but then recognizes > that "There may be no way for a client to maintain consistency of > the IAIDs if it does not have non-volatile storage and the > client's hardware configuration changes" > > Is there a way to allow these IDs to change? and if not should > this check be in dnsmasq? or would a patch to optionally disable > the check be acceptable? > > thanks, Derek. > > > [1] - > https://github.com/tianocore/edk2/blob/418373a1cd97abc0c0e3557f7a00105 291829e6f/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c#L866 > > [2] - https://github.com/qemu/ipxe/blob/c34d151/src/net/udp/dhcpv6.c#L97 2 > [3] - > https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=blob;f=client/d hc6.c;h=be604ac988a983b2829f76fe2bff6a5f036d8019;hb=HEAD#l1716 > > ___ Dnsmasq-discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJYtJ9GAAoJEBXN2mrhkTWiXAwP/RZ+BE+gchcHXwz/wsGmz2gV QyHEop+9EZU2FPDBycp0bSBsPeM02Z5ZRfuVslqk/mPZke1WDFqp88Xo5m2wTi09 SIPhk8P8ONAgYcxWy8SYUTPzYWFxTx6R7xyjZaM/gUbBYlzqvCf4KFNDrHsIw9eg M+5M/pSvLHdA2ELAl1OaGgdC8UWgRIRKoBriSkcl17FwmT7UeLzWVB64NOxYxxGl pxLjqZVOymfuY5XbjN6DMs431Z/sGIwsY8SBRWU8y1Sm++/Gb55JEYydu1+KXEyW gx9yrdMH43D6uHp8g+o0C+xTWtoddJx93CwOHLeSRughe24f13Z3xsKbUQRycZRa UJPKOHSmkO38e6tbGqAMDFtsmoXwXRBElYls32TcS1ai/YzSvkcapKYZh6oiX83Z fo4+Iklyb87Dft5gj9TsBdr4A1C7Hf9W+A8FR8XL6V05/KT5Z9OS7UTH5vqGM+l/ 1bYQsHk7rnNwGrSUyI+QJDLfhjibwwlYs0IeTPhUqexSwRXDiRd0uLH1ZhmLHBRm 8T81sV4S7NErqp3daUdXJdK6GFSp7i8jDMHZujo9Wju9x7fGl2ROVW6oJqQX+lN2 v05zFaXePJR+78gEKVEQP38QNDYnKct8dVHRvoSb+B6pjAWuTM2HgsF0y+x0phNv JQQXY6kIaOIsjEDROC7q =oMah -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: > On 27/02/17 13:31, Chris Novakovic wrote: > > On 27/02/17 10:04, Daniel Pocock wrote: > >> > >> I've observed the following problem: > >> > >> - dnsmasq is sending queries to 5 servers, one of them is not > >> recursive and only answers for a private domain > >> > >> - if the first response dnsmasq receives comes from the > >> non-recursive server (REFUSED), then dnsmasq is sending a > >> REFUSED response to the client > >> > >> - dnsmasq subsequently receives a response from one of the > >> recursive servers > > > > This is expected behaviour. One possibility is to configure > > dnsmasq to forward requests to the non-recursive server only > > for the private domain, e.g.: > > > > --server=/private.domain/non.recursive.server.ip > > > > and a matching --rev-server directive if appropriate. > > The router is running OpenWRT, I could make that change manually > but then I wouldn't be able to fully manage it with the GUI any > more. > > Can you confirm if this is the only way it can work according to > the DNS spec, or is it a dnsmasq design decision? --server without the domain specified MUST be a recursive server, willing to resolve your queries for any names. --server/domain.example/ip.add.re.ss will only send queries for domain.example (and *.domain.example) to ip.add.re.ss. > Could a software approach be taken by default, waiting to see > if any resolver provides a positive response before sending > back REFUSED to the client? I don't see a valid use case for this. You have a configuration error, by listing a non-recursive server among your upstream recursive servers. Perhaps the OpenWRT people didn't know enough about dnsmasq to support this situation, or perhaps they didn't care. But dnsmasq documentation of --server is clear enough about it. Another problem you will have is when one of the actual upstream recursive servers replies for "domain.example" with incorrect data. (Side note: simple is good; listing more recursive servers will generally not improve performance. If some of the servers you're listing are not reliable enough, try one of the Google Public DNS addresses, or run your own recursive resolver.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Got bad packet: bad compression pointer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Can you easily test newer code? Either git-HEAD or 2.77test3 has a fix for a bug which looks remarkably like this, and it would be good to eliminate that before going further. Cheers, Simon. On 27/02/17 14:08, Igor Lidin wrote: > I'm observing the following problem with dnsmasq 2.76 on arm7 > platform. > > Dnsmasq is responing with bad packet, but shouldn't. This is > somehow related to DNSSEC, ial.ru is signed. > > this is through local dnsmasq forwarding server: > > # dig soa guardian.ial.ru @127.0.0.1 ;; Got bad packet: bad > compression pointer 131 bytes a8 45 83 80 00 01 00 01 00 01 00 01 > 08 67 75 61 .E...gua 72 64 69 61 6e 03 69 61 6c 02 > 72 75 00 00 06 00 rdian.ial.ru 01 c0 0c 00 05 00 01 00 > 00 0e 0f 00 10 08 67 75 ..gu 61 72 64 69 61 6e > 02 75 6b 02 74 6f 00 c0 36 00 ardian.uk.to..6. 06 00 01 00 > 00 0e 10 00 2f 03 6e 73 31 06 61 66 /.ns1.af 72 61 > 69 64 03 6f 72 67 00 08 64 6e 73 61 64 6d > raid.org..dnsadm 69 6e c1 d9 65 76 95 a3 00 01 51 80 00 00 1c 20 > in..evQ. 00 24 ea 00 00 00 0e 10 00 00 29 10 00 00 00 00 > .$). 00 00 00 > ... > > this is though google dns on the same host: > > # dig soa guardian.ial.ru @8.8.8.8 > > ; <<>> DiG 9.10.4-P5 <<>> soa guardian.ial.ru @8.8.8.8 ;; global > options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: > NOERROR, id: 31031 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, > AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; > QUESTION SECTION: ;guardian.ial.ru. IN SOA > > ;; ANSWER SECTION: guardian.ial.ru.12 IN CNAME > guardian.uk.to. > > ;; AUTHORITY SECTION: uk.to. 1666IN SOA > ns1.afraid.org. dnsadmin.afraid.org. 1702270369 86400 7200 2419200 > 3600 > > ;; Query time: 63 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon > Feb 27 14:05:09 UTC 2017 ;; MSG SIZE rcvd: 131 > > this is related info: > > # dnsmasq -v Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon > Kelley Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n > no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper > auth DNSSEC loop-detect inotify > > This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free > software, and you are welcome to redistribute it under the terms of > the GNU General Public License, version 2 or 3. > > # uname -a Linux guardian 2.6.36.4brcmarm #1 SMP PREEMPT Thu Feb 2 > 21:42:22 CET 2017 armv7l GNU/Linux > > # drill soa guardian.ial.ru Error: error sending query: Invalid > compression pointer > > # drill -v drill version 1.6.17 (ldns version 1.6.17) Written by > NLnet Labs. > > Copyright (c) 2004-2008 NLnet Labs. Licensed under the revised BSD > license. There is NO warranty; not even for MERCHANTABILITY or > FITNESS FOR A PARTICULAR PURPOSE. > > Best regards, Igor Lidin > > > ___ Dnsmasq-discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJYtE1UAAoJEBXN2mrhkTWi1zkP/384h/G/zTrQrbVVbr5ECp7t oflpq7kBhHnxxPIwO0r0O7s7GGghIjTK3XcbXJ0vr8SUls14PKFtIwAyPevxvGhY Ppf0ju9/QVuu3IZBxd+/6xSuMdgPTpz74+gNJx2t7f6LPYTWiQmOzhhJBTVH4Rzf SoDpF1mfDDO6kzpJJCg24uDWJ0FPQVIKb/qcnBog1MOgRsbzdQ06DFl5nIHRzhg9 jXsRIgEGkvPLPPwCSzG9HpErhrRiJYHA4CC2aQWPyo9h8KXH9Ji9JYgysmnWCoNo ky3hYA5UnzlyjEVKapR1hTf6WJRRr7mW7PwQKFX/LPrCCsrS+99KjRYin7h4frSM 23LWcFIyYEE9iGT7ZXqXEshpO63GEbh/z4VGzVPy0n0ZTudru+6t+p0i2yjBdQo0 Qwj3JYxa08d9tlc+Kz9w7F5gI2OzIzPy1aIJcV9m0pcq5HgjeVOj9yWeWFMrLkS0 KXFYvuiV4dbk6hKQLor0ZzwfpvBbOoQb1CCC1TM3jPsS+xU/5+tiBstU1nl+dglY bjBOkC8j7PgjwJ9WJ0eiWBJqJcnrLMMZ7K7KPjnMyxlFUa6HMnZryefGhyfNKSzJ Dg9RLFW/8GPoGi7PtiMofzQbIjiGNfhiNE1Z34w5G6uNkBU4TQtgaWRm9XqG/D9v mMMw92pWtv42aNFkx842 =UkkJ -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Network booting with stateful IPv6 addressing
I've recently been trying to use dnsmasq IPv6 to network boot, after a number of hurdles the last problem I've been having is that during the boot process (after dnsmasq initially hands out an IP address as part of PXE boot), it starts responding with "no addresses available". The problem I'm hitting is that the IAID and the ClientID in the dhcp request changes during the process, - the IAID being used in PXE generated by the OVMF UEFI firmware is a function including a time based seed[1] - this chain loads(in my case) to an iPXE image that is using a crc of the mac address to generate the IAID[2], - dhclient on the OS then uses the last 4 octets of the MAC address for the IAID[3] I have similar problems with ClientID but I havn't looked into them in as much detail check_address in dnsmasq/src/rfc3315.c is asserting that the ID's can't change, and the only way I've gotten the boot process to work locally is to comment out the checks in check_address As best I can see RFC 3315 does say that the IAID MUST remain consistent across restarts of the DHCP client, but then recognizes that "There may be no way for a client to maintain consistency of the IAIDs if it does not have non-volatile storage and the client's hardware configuration changes" Is there a way to allow these IDs to change? and if not should this check be in dnsmasq? or would a patch to optionally disable the check be acceptable? thanks, Derek. [1] - https://github.com/tianocore/edk2/blob/418373a1cd97abc0c0e3557f7a00105291829e6f/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c#L866 [2] - https://github.com/qemu/ipxe/blob/c34d151/src/net/udp/dhcpv6.c#L972 [3] - https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=blob;f=client/dhc6.c;h=be604ac988a983b2829f76fe2bff6a5f036d8019;hb=HEAD#l1716 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 13:31, Chris Novakovic wrote: > On 27/02/17 10:04, Daniel Pocock wrote: >> >> I've observed the following problem: >> >> - dnsmasq is sending queries to 5 servers, one of them is not recursive >> and only answers for a private domain >> >> - if the first response dnsmasq receives comes from the non-recursive >> server (REFUSED), then dnsmasq is sending a REFUSED response to the client >> >> - dnsmasq subsequently receives a response from one of the recursive servers > > This is expected behaviour. One possibility is to configure dnsmasq to > forward requests to the non-recursive server only for the private > domain, e.g.: > > --server=/private.domain/non.recursive.server.ip > > and a matching --rev-server directive if appropriate. > The router is running OpenWRT, I could make that change manually but then I wouldn't be able to fully manage it with the GUI any more. Can you confirm if this is the only way it can work according to the DNS spec, or is it a dnsmasq design decision? Could a software approach be taken by default, waiting to see if any resolver provides a positive response before sending back REFUSED to the client? Regards, Daniel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Got bad packet: bad compression pointer
I'm observing the following problem with dnsmasq 2.76 on arm7 platform. Dnsmasq is responing with bad packet, but shouldn't. This is somehow related to DNSSEC, ial.ru is signed. this is through local dnsmasq forwarding server: # dig soa guardian.ial.ru @127.0.0.1 ;; Got bad packet: bad compression pointer 131 bytes a8 45 83 80 00 01 00 01 00 01 00 01 08 67 75 61 .E...gua 72 64 69 61 6e 03 69 61 6c 02 72 75 00 00 06 00 rdian.ial.ru 01 c0 0c 00 05 00 01 00 00 0e 0f 00 10 08 67 75 ..gu 61 72 64 69 61 6e 02 75 6b 02 74 6f 00 c0 36 00 ardian.uk.to..6. 06 00 01 00 00 0e 10 00 2f 03 6e 73 31 06 61 66 /.ns1.af 72 61 69 64 03 6f 72 67 00 08 64 6e 73 61 64 6d raid.org..dnsadm 69 6e c1 d9 65 76 95 a3 00 01 51 80 00 00 1c 20 in..evQ. 00 24 ea 00 00 00 0e 10 00 00 29 10 00 00 00 00 .$). 00 00 00 ... this is though google dns on the same host: # dig soa guardian.ial.ru @8.8.8.8 ; <<>> DiG 9.10.4-P5 <<>> soa guardian.ial.ru @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31031 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;guardian.ial.ru. IN SOA ;; ANSWER SECTION: guardian.ial.ru.12 IN CNAME guardian.uk.to. ;; AUTHORITY SECTION: uk.to. 1666IN SOA ns1.afraid.org. dnsadmin.afraid.org. 1702270369 86400 7200 2419200 3600 ;; Query time: 63 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Feb 27 14:05:09 UTC 2017 ;; MSG SIZE rcvd: 131 this is related info: # dnsmasq -v Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth DNSSEC loop-detect inotify This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free software, and you are welcome to redistribute it under the terms of the GNU General Public License, version 2 or 3. # uname -a Linux guardian 2.6.36.4brcmarm #1 SMP PREEMPT Thu Feb 2 21:42:22 CET 2017 armv7l GNU/Linux # drill soa guardian.ial.ru Error: error sending query: Invalid compression pointer # drill -v drill version 1.6.17 (ldns version 1.6.17) Written by NLnet Labs. Copyright (c) 2004-2008 NLnet Labs. Licensed under the revised BSD license. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Best regards, Igor Lidin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 10:04, Daniel Pocock wrote: > > I've observed the following problem: > > - dnsmasq is sending queries to 5 servers, one of them is not recursive > and only answers for a private domain > > - if the first response dnsmasq receives comes from the non-recursive > server (REFUSED), then dnsmasq is sending a REFUSED response to the client > > - dnsmasq subsequently receives a response from one of the recursive servers This is expected behaviour. One possibility is to configure dnsmasq to forward requests to the non-recursive server only for the private domain, e.g.: --server=/private.domain/non.recursive.server.ip and a matching --rev-server directive if appropriate. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
I've observed the following problem: - dnsmasq is sending queries to 5 servers, one of them is not recursive and only answers for a private domain - if the first response dnsmasq receives comes from the non-recursive server (REFUSED), then dnsmasq is sending a REFUSED response to the client - dnsmasq subsequently receives a response from one of the recursive servers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
