Re: [Dnsmasq-discuss] make synth-domain a authoritative response
On 2018-03-15 17:14, Simon Kelley wrote: Is it a bug if it fulfils the specification? :-) The section of the man page on AUTHORITATIVE CONFIGURATION lists all the sources of data for an auth zone, and it doesn't include synth-domain. So there's no bug :) The main reason that synth-domain is not included is that it makes doing domain-transfer difficult. That sends every record in the domain to a secondary server, and synth-domain would rapdily balloon into a LOT of records (especially in IPv6-land). Cheers, Simon. I see. It seems to have missed that part in the documentation. Didn't think of domain-transfers, but I guess you're right that it won't be possible to have IPv6 and synth-domain transferred. So I agree it's not a bug ;) I guess I have to live with that the reverse-dns name will be unknown when doing for example a "last -da" on a remote system that you have connected to. One option would be to allow reverse lookups to get the synth-domain name but that it won't be forward-lookup:able, so we won't get the issue with having hostnames that we can't zone-transfer. When connecting to my local server from my phone I always get this reverse-hostname for my IPv6-address on cell network. "m-ipv6.cust.tele2.se", so I guess it's "allowed" for a ip to resolve to a hostname and have that hostname resolve to NXDOMAIN But then again I won't loose any sleep over this because my IPv6-addresses resolve properly locally on my network because queries from LAN gets the non-authoritative response. Keep up the good work! BR, Harre ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] make synth-domain a authoritative response
On 11/03/18 02:43, Markus Hartung wrote: > I have dug a little more and I can't think of this behaviour to be > nothing else than a bug. > > I have made a simple config now to reproduce the bug: > > Start server with this command: > > dnsmasq -p 1153 --synth-domain=hartmark.se,2001:db8::/64,dynamic- > --auth-server=ns1.hartmark.se,192.168.1.1 > --auth-zone=hartmark.se,192.168.1.1,2001:db8::/64 > --auth-soa=,hostmaster.hartmark.se,1200,180,1209600 --ho > st-record=foo.hartmark.se,2001:db8::f00 -d --bind-dynamic > > Replace 192.168.1.1 with your local ip. > > Run these dig:s > > 1. dig -p 1153 -x 2001:db8::f00 > > 2. dig -p 1153 -x 2001:db8::f00 @192.168.1.1 > > 3. dig -p 1153 -x 2001:db8::d00 > > 4. dig -p 1153 -x 2001:db8::d00 @192.168.1.1 > > > dig 1 and 2 both return foo.hartmark.se as response. 1 is using > localhost (127.0.0.1 or ::1) and that is not part of neither auth-server > and auth-zone > > dig 3 returns dynamic-2001-db8--d00.hartmark.se > > dig 4 returns NXDOMAIN > > > Have I misunderstood something?? From my understanding it seems dnsmasq > doesn't check synth-domain when responding on requests where dnsmasq is > authoritative. > > Is it a bug if it fulfils the specification? :-) The section of the man page on AUTHORITATIVE CONFIGURATION lists all the sources of data for an auth zone, and it doesn't include synth-domain. So there's no bug :) The main reason that synth-domain is not included is that it makes doing domain-transfer difficult. That sends every record in the domain to a secondary server, and synth-domain would rapdily balloon into a LOT of records (especially in IPv6-land). Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] make synth-domain a authoritative response
I have dug a little more and I can't think of this behaviour to be nothing else than a bug. I have made a simple config now to reproduce the bug: Start server with this command: dnsmasq -p 1153 --synth-domain=hartmark.se,2001:db8::/64,dynamic- --auth-server=ns1.hartmark.se,192.168.1.1 --auth-zone=hartmark.se,192.168.1.1,2001:db8::/64 --auth-soa=,hostmaster.hartmark.se,1200,180,1209600 --ho st-record=foo.hartmark.se,2001:db8::f00 -d --bind-dynamic Replace 192.168.1.1 with your local ip. Run these dig:s 1. dig -p 1153 -x 2001:db8::f00 2. dig -p 1153 -x 2001:db8::f00 @192.168.1.1 3. dig -p 1153 -x 2001:db8::d00 4. dig -p 1153 -x 2001:db8::d00 @192.168.1.1 dig 1 and 2 both return foo.hartmark.se as response. 1 is using localhost (127.0.0.1 or ::1) and that is not part of neither auth-server and auth-zone dig 3 returns dynamic-2001-db8--d00.hartmark.se dig 4 returns NXDOMAIN Have I misunderstood something?? From my understanding it seems dnsmasq doesn't check synth-domain when responding on requests where dnsmasq is authoritative. Kind regards, Markus ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] make synth-domain a authoritative response
Hello guys, I have my own domain and have a Hurricane Electric ipv6 block. I get working reverse-lookups for my hosts that dnsmasq knows about. DHCP, RA, hard-coded etc. However I want non-existing hosts to get a generated hostname using the synth-domain option. The reason is that I want to have working hostnames for the temporary IPv6-addresses my hosts uses. I'm using this config: synth-domain=hartmark.se,2001:470:28:6ac::/64,dynamic- And a lookup on a IPv6-address using localhost gives me this response: == $ dig -x 2001:470:28:6ac:a634:d9ff:fe7e:6c5a ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 2001:470:28:6ac:a634:d9ff:fe7e:6c5a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27613 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;a.5.c.6.e.7.e.f.f.f.9.d.4.3.6.a.c.a.6.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR ;; ANSWER SECTION: a.5.c.6.e.7.e.f.f.f.9.d.4.3.6.a.c.a.6.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 300 IN PTR dynamic-2001-470-28-6ac-a634-d9ff-fe7e-6c5a.hartmark.se. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Mar 04 23:05:20 CET 2018 ;; MSG SIZE rcvd: 170 == As you can see I get the expected dynamic-xxx.hartmark.se hostname. And if I ask on my dns-server's IPv4 address I get same result, however I I ask on my IPv6-address I get this result: == dig -x 2001:470:28:6ac:a634:d9ff:fe7e:6c5a @ns1.hartmark.se ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 2001:470:28:6ac:a634:d9ff:fe7e:6c5a @ns1.hartmark.se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58272 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;a.5.c.6.e.7.e.f.f.f.9.d.4.3.6.a.c.a.6.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR ;; AUTHORITY SECTION: c.a.6.0.8.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 300 IN SOA ns1.hartmark.se. hostmaster.hartmark.se. 1520127368 1200 180 1209600 300 ;; Query time: 0 msec ;; SERVER: 2001:470:28:6ac::2#53(2001:470:28:6ac::2) ;; WHEN: Sun Mar 04 23:14:50 CET 2018 ;; MSG SIZE rcvd: 214 == I'm no DNS-ninja but it seems the IPv6 response is NXDOMAIN and the IPv4 response have NOERROR. The curious thing is that they are both flagged with aa (/AA/ = Authoritative Answer). dnsmasq for IPv4 and IPv6 is the same process on the machine: tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 18236/dnsmasq tcp6 0 0 :::53 :::* LISTEN 18236/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 18236/dnsmasq udp6 0 0 :::53 :::* 18236/dnsmasq Is there anything I have missed? ns1.hartmark.se is the delegated authority for the /64 from Hurricane Electric. $ dnsmasq -version Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify Running on a ubuntu 17.10. BR, / Harre ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
