date:20150601

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Kevin Benton

Let me rephrase it slightly. What is the point of dnsmasq NAKing client
responses to other servers if the clients are being programmed to ignore
the NAKs?

On the surface it looks like it's either pointless behavior on the server's
part or incorrect logic in the DHCP client. Am I missing something?

On Mon, Jun 1, 2015 at 2:58 AM, Vladislav Grishenko themi...@mail.ru
wrote:

 Hi Kevin,



  why do DHCP servers like dnsmasq generate them in the first place?

 Because it’s per dnsmasq configuration and the effects are well-described
 in the man.



 http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

 *-K, --dhcp-authoritative*

 Should be set when *dnsmasq is definitely the only DHCP server on a
 network*. For DHCPv4, it changes the behaviour from strict RFC compliance
 so that DHCP requests on unknown leases from unknown hosts are not ignored.
 This allows new hosts to get a lease without a tedious timeout under all
 circumstances. It also allows dnsmasq to rebuild its lease database without
 each client needing to reacquire a lease, if the database is lost. For
 DHCPv6 it sets the priority in replies to 255 (the maximum) instead of 0
 (the minimum).



 you definitely have multiple dhcp servers, so this option is misused under
 your circumstances, not?



 Best Regards, Vladislav Grishenko



 *From:* Kevin Benton [mailto:blak...@gmail.com]
 *Sent:* Monday, June 01, 2015 2:02 PM

 *To:* Vladislav Grishenko
 *Cc:* Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
 *Subject:* Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue



 I understand, but that eliminates the whole 'correcting rouge dhcp offers'
 part of the authoritative mode.



 If we are teaching clients to ignore NAKs from other DHCP servers, why do
 DHCP servers like dnsmasq generate them in the first place? Wouldn't it be
 logically consistent to make a change to dnsmasq to prevent it from
 generating a NAK if the client is communicating with a different server?



 Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It
 does seem like there is a lot of confusion around what authoritative
 servers should be doing.



 On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru
 wrote:

 Hi Kevin,

 Ignoring all naks – would be, but the fix is different.

 That fix ignores all naks except from the selected/requested server only,
 it’s ok.



 Best Regards, Vladislav Grishenko



 *From:* Kevin Benton [mailto:blak...@gmail.com]
 *Sent:* Wednesday, May 27, 2015 9:32 AM
 *To:* Vladislav Grishenko
 *Cc:* Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
 *Subject:* Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue



 That fix is interesting. Doesn't ignoring a NAK sort of defeat the point
 of the 'authoritative' NAKing in the first place?



 On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru
 wrote:

  On 02/02/2015 05:47 PM, Brian Haley wrote:
  
   The one thing I'm curious about is if dnsmasq is restarted while a
   VM holds a lease, how will it respond?  As someone else has
   pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
   case, and wondered why there would be a difference with dnsmasq.
   Different interpretation of an RFC?
  
  
   If by dnsmasq is restarted you mean dnsmasq is restarted and
   therefore has its lease database deleted, then the RFC says that if
   a server gets a renewal for an unknown lease, it should return
   DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
   set, when instead it quietly re-creates the lease.
  
   Yes, your assumption is correct, as --leasefile-ro is used it knows of
   no current leases, and by default get a DHCPNAK.
  
   dhcp-authoritative gives permission to dnsmasq to violate the RFC in
   a way which is useful in certain circumstances.
  
   Thanks, it does seem to do what I want with my initial testing.
 
  Hi Simon,
 
  Replying to my old thread since using --dhcp-authoritative seems to have
  introduced an issue where a DHCP client can get a NAK when using multiple
  dnsmasq servers on the same subnet (they both have the same host
  information, 1 running just to get HA).
 
  Short story is that both dnsmasq's return the same lease info, but when
 the
  client ACKs (sending to broadcast), one agent ACKs and the other agent
  NAKs.
  The tcpdump shows this better than I'm describing:
 
  https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
 
  Does that seem like normal operation to you?  Does this second dnsmasq
  assume this response is from a rogue server and NAKs since it didn't send
 out
  the offer?
 

 Hi Brian,

 Second dnsmasq assume the client request is to another server and responds
 with NAK in authoritative mode.
 The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
 check server id for anything but offer packet.
 Bug is already fixed in bb 1.23.x, see commit

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Kevin Benton

That's my opinion too (although I can see a flip side to the coin: if
clients honor NAKs from any sever, then a rogue machine could break a
local noetwork by NAKing any and all DHCPREQUESTs, effectively DoSing
the whole segment at least).

Oh definitely. DHCPNAKs are definitely not a good way to protect against
rogue DHCP servers. Packet filtering (e.g. DHCP snooping or UDP drop rules)
are much better at that. I was just pointing out that if we are teaching
clients to ignore NAKs from other servers, we might as well have the
servers stop sending NAKs in response to traffic to other servers. dhcp
authoritative in the dnsmasq case would then just mean it accepts any
renewal.

RFC 2131 says a server SHOULD send a DHCPNAK if it detects a DHCP
request for e.g. the wrong network. It also says If the client
receives a DHCPNAK message, the client restarts the configuration
process, which, while there is no MUST in it, seems to me like a
non-optional requirement to honor DHCPNAKs.

Right, so then wouldn't the referenced busy-box patch be making the client
non-compliant?
http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52e588c0



On Mon, Jun 1, 2015 at 2:51 AM, Albert ARIBAUD albert.arib...@free.fr
wrote:

 Hi Kevin,

 Le Mon, 1 Jun 2015 02:02:27 -0700, Kevin Benton blak...@gmail.com a
 écrit :

  I understand, but that eliminates the whole 'correcting rouge dhcp
 offers'
  part of the authoritative mode.
 
  If we are teaching clients to ignore NAKs from other DHCP servers, why do
  DHCP servers like dnsmasq generate them in the first place? Wouldn't it
 be
  logically consistent to make a change to dnsmasq to prevent it from
  generating a NAK if the client is communicating with a different server?

 That's my opinion too (although I can see a flip side to the coin: if
 clients honor NAKs from any sever, then a rogue machine could break a
 local noetwork by NAKing any and all DHCPREQUESTs, effectively DoSing
 the whole segment at least).

  Is the client behavior regarding NAKs outlined in one of the DHCP RFCs?
 It
  does seem like there is a lot of confusion around what authoritative
  servers should be doing.

 RFC 2131 says a server SHOULD send a DHCPNAK if it detects a DHCP
 request for e.g. the wrong network. It also says If the client
 receives a DHCPNAK message, the client restarts the configuration
 process, which, while there is no MUST in it, seems to me like a
 non-optional requirement to honor DHCPNAKs.

  On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru
  wrote:
 
   Hi Kevin,
  
   Ignoring all naks – would be, but the fix is different.
  
   That fix ignores all naks except from the selected/requested server
 only,
   it’s ok.
  
  
  
   Best Regards, Vladislav Grishenko
  
  
  
   *From:* Kevin Benton [mailto:blak...@gmail.com]
   *Sent:* Wednesday, May 27, 2015 9:32 AM
   *To:* Vladislav Grishenko
   *Cc:* Brian Haley; Simon Kelley;
 dnsmasq-discuss@lists.thekelleys.org.uk
   *Subject:* Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue
  
  
  
   That fix is interesting. Doesn't ignoring a NAK sort of defeat the
 point
   of the 'authoritative' NAKing in the first place?
  
  
  
   On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru
 
   wrote:
  
On 02/02/2015 05:47 PM, Brian Haley wrote:

 The one thing I'm curious about is if dnsmasq is restarted while
 a
 VM holds a lease, how will it respond?  As someone else has
 pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
 case, and wondered why there would be a difference with dnsmasq.
 Different interpretation of an RFC?


 If by dnsmasq is restarted you mean dnsmasq is restarted and
 therefore has its lease database deleted, then the RFC says that
 if
 a server gets a renewal for an unknown lease, it should return
 DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
 set, when instead it quietly re-creates the lease.

 Yes, your assumption is correct, as --leasefile-ro is used it
 knows of
 no current leases, and by default get a DHCPNAK.

 dhcp-authoritative gives permission to dnsmasq to violate the RFC
 in
 a way which is useful in certain circumstances.

 Thanks, it does seem to do what I want with my initial testing.
   
Hi Simon,
   
Replying to my old thread since using --dhcp-authoritative seems to
 have
introduced an issue where a DHCP client can get a NAK when using
 multiple
dnsmasq servers on the same subnet (they both have the same host
information, 1 running just to get HA).
   
Short story is that both dnsmasq's return the same lease info, but
 when
   the
client ACKs (sending to broadcast), one agent ACKs and the other
 agent
NAKs.
The tcpdump shows this better than I'm describing:
   
https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
   
Does that seem like normal operation to you?

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Albert ARIBAUD

Hi Kevin,

Le Mon, 1 Jun 2015 02:02:27 -0700, Kevin Benton blak...@gmail.com a
écrit :

 I understand, but that eliminates the whole 'correcting rouge dhcp offers'
 part of the authoritative mode.
 
 If we are teaching clients to ignore NAKs from other DHCP servers, why do
 DHCP servers like dnsmasq generate them in the first place? Wouldn't it be
 logically consistent to make a change to dnsmasq to prevent it from
 generating a NAK if the client is communicating with a different server?

That's my opinion too (although I can see a flip side to the coin: if
clients honor NAKs from any sever, then a rogue machine could break a
local noetwork by NAKing any and all DHCPREQUESTs, effectively DoSing
the whole segment at least).

 Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It
 does seem like there is a lot of confusion around what authoritative
 servers should be doing.

RFC 2131 says a server SHOULD send a DHCPNAK if it detects a DHCP
request for e.g. the wrong network. It also says If the client
receives a DHCPNAK message, the client restarts the configuration
process, which, while there is no MUST in it, seems to me like a
non-optional requirement to honor DHCPNAKs.

 On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru
 wrote:
 
  Hi Kevin,
 
  Ignoring all naks – would be, but the fix is different.
 
  That fix ignores all naks except from the selected/requested server only,
  it’s ok.
 
 
 
  Best Regards, Vladislav Grishenko
 
 
 
  *From:* Kevin Benton [mailto:blak...@gmail.com]
  *Sent:* Wednesday, May 27, 2015 9:32 AM
  *To:* Vladislav Grishenko
  *Cc:* Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
  *Subject:* Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue
 
 
 
  That fix is interesting. Doesn't ignoring a NAK sort of defeat the point
  of the 'authoritative' NAKing in the first place?
 
 
 
  On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru
  wrote:
 
   On 02/02/2015 05:47 PM, Brian Haley wrote:
   
The one thing I'm curious about is if dnsmasq is restarted while a
VM holds a lease, how will it respond?  As someone else has
pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
case, and wondered why there would be a difference with dnsmasq.
Different interpretation of an RFC?
   
   
If by dnsmasq is restarted you mean dnsmasq is restarted and
therefore has its lease database deleted, then the RFC says that if
a server gets a renewal for an unknown lease, it should return
DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
set, when instead it quietly re-creates the lease.
   
Yes, your assumption is correct, as --leasefile-ro is used it knows of
no current leases, and by default get a DHCPNAK.
   
dhcp-authoritative gives permission to dnsmasq to violate the RFC in
a way which is useful in certain circumstances.
   
Thanks, it does seem to do what I want with my initial testing.
  
   Hi Simon,
  
   Replying to my old thread since using --dhcp-authoritative seems to have
   introduced an issue where a DHCP client can get a NAK when using multiple
   dnsmasq servers on the same subnet (they both have the same host
   information, 1 running just to get HA).
  
   Short story is that both dnsmasq's return the same lease info, but when
  the
   client ACKs (sending to broadcast), one agent ACKs and the other agent
   NAKs.
   The tcpdump shows this better than I'm describing:
  
   https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
  
   Does that seem like normal operation to you?  Does this second dnsmasq
   assume this response is from a rogue server and NAKs since it didn't send
  out
   the offer?
  
 
  Hi Brian,
 
  Second dnsmasq assume the client request is to another server and responds
  with NAK in authoritative mode.
  The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
  check server id for anything but offer packet.
  Bug is already fixed in bb 1.23.x, see commit
 
  http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52
  e588c0
 
  Best Regards, Vladislav Grishenko
 
 
 
 
  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 
 
 
 
  --
 
  Kevin Benton
 
 
 
 


Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Kevin Benton

I understand, but that eliminates the whole 'correcting rouge dhcp offers'
part of the authoritative mode.

If we are teaching clients to ignore NAKs from other DHCP servers, why do
DHCP servers like dnsmasq generate them in the first place? Wouldn't it be
logically consistent to make a change to dnsmasq to prevent it from
generating a NAK if the client is communicating with a different server?

Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It
does seem like there is a lot of confusion around what authoritative
servers should be doing.

On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru
wrote:

 Hi Kevin,

 Ignoring all naks – would be, but the fix is different.

 That fix ignores all naks except from the selected/requested server only,
 it’s ok.



 Best Regards, Vladislav Grishenko



 *From:* Kevin Benton [mailto:blak...@gmail.com]
 *Sent:* Wednesday, May 27, 2015 9:32 AM
 *To:* Vladislav Grishenko
 *Cc:* Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
 *Subject:* Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue



 That fix is interesting. Doesn't ignoring a NAK sort of defeat the point
 of the 'authoritative' NAKing in the first place?



 On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru
 wrote:

  On 02/02/2015 05:47 PM, Brian Haley wrote:
  
   The one thing I'm curious about is if dnsmasq is restarted while a
   VM holds a lease, how will it respond?  As someone else has
   pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
   case, and wondered why there would be a difference with dnsmasq.
   Different interpretation of an RFC?
  
  
   If by dnsmasq is restarted you mean dnsmasq is restarted and
   therefore has its lease database deleted, then the RFC says that if
   a server gets a renewal for an unknown lease, it should return
   DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
   set, when instead it quietly re-creates the lease.
  
   Yes, your assumption is correct, as --leasefile-ro is used it knows of
   no current leases, and by default get a DHCPNAK.
  
   dhcp-authoritative gives permission to dnsmasq to violate the RFC in
   a way which is useful in certain circumstances.
  
   Thanks, it does seem to do what I want with my initial testing.
 
  Hi Simon,
 
  Replying to my old thread since using --dhcp-authoritative seems to have
  introduced an issue where a DHCP client can get a NAK when using multiple
  dnsmasq servers on the same subnet (they both have the same host
  information, 1 running just to get HA).
 
  Short story is that both dnsmasq's return the same lease info, but when
 the
  client ACKs (sending to broadcast), one agent ACKs and the other agent
  NAKs.
  The tcpdump shows this better than I'm describing:
 
  https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
 
  Does that seem like normal operation to you?  Does this second dnsmasq
  assume this response is from a rogue server and NAKs since it didn't send
 out
  the offer?
 

 Hi Brian,

 Second dnsmasq assume the client request is to another server and responds
 with NAK in authoritative mode.
 The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
 check server id for anything but offer packet.
 Bug is already fixed in bb 1.23.x, see commit

 http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52
 e588c0

 Best Regards, Vladislav Grishenko




 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss





 --

 Kevin Benton




-- 
Kevin Benton
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Vladislav Grishenko

Hi Kevin,

 

 why do DHCP servers like dnsmasq generate them in the first place?

Because it’s per dnsmasq configuration and the effects are well-described in 
the man. 

 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-K, --dhcp-authoritative

Should be set when dnsmasq is definitely the only DHCP server on a network. For 
DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP 
requests on unknown leases from unknown hosts are not ignored. This allows new 
hosts to get a lease without a tedious timeout under all circumstances. It also 
allows dnsmasq to rebuild its lease database without each client needing to 
reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in 
replies to 255 (the maximum) instead of 0 (the minimum).

 

you definitely have multiple dhcp servers, so this option is misused under your 
circumstances, not?

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com] 
Sent: Monday, June 01, 2015 2:02 PM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

I understand, but that eliminates the whole 'correcting rouge dhcp offers' part 
of the authoritative mode. 

 

If we are teaching clients to ignore NAKs from other DHCP servers, why do DHCP 
servers like dnsmasq generate them in the first place? Wouldn't it be logically 
consistent to make a change to dnsmasq to prevent it from generating a NAK if 
the client is communicating with a different server?

 

Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It does 
seem like there is a lot of confusion around what authoritative servers should 
be doing.

 

On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru 
mailto:themi...@mail.ru  wrote:

Hi Kevin,

Ignoring all naks – would be, but the fix is different.

That fix ignores all naks except from the selected/requested server only, it’s 
ok.

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com mailto:blak...@gmail.com ] 
Sent: Wednesday, May 27, 2015 9:32 AM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
mailto:dnsmasq-discuss@lists.thekelleys.org.uk 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

That fix is interesting. Doesn't ignoring a NAK sort of defeat the point of the 
'authoritative' NAKing in the first place?

 

On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru 
mailto:themi...@mail.ru  wrote:

 On 02/02/2015 05:47 PM, Brian Haley wrote:
 
  The one thing I'm curious about is if dnsmasq is restarted while a
  VM holds a lease, how will it respond?  As someone else has
  pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
  case, and wondered why there would be a difference with dnsmasq.
  Different interpretation of an RFC?
 
 
  If by dnsmasq is restarted you mean dnsmasq is restarted and
  therefore has its lease database deleted, then the RFC says that if
  a server gets a renewal for an unknown lease, it should return
  DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
  set, when instead it quietly re-creates the lease.
 
  Yes, your assumption is correct, as --leasefile-ro is used it knows of
  no current leases, and by default get a DHCPNAK.
 
  dhcp-authoritative gives permission to dnsmasq to violate the RFC in
  a way which is useful in certain circumstances.
 
  Thanks, it does seem to do what I want with my initial testing.

 Hi Simon,

 Replying to my old thread since using --dhcp-authoritative seems to have
 introduced an issue where a DHCP client can get a NAK when using multiple
 dnsmasq servers on the same subnet (they both have the same host
 information, 1 running just to get HA).

 Short story is that both dnsmasq's return the same lease info, but when
the
 client ACKs (sending to broadcast), one agent ACKs and the other agent
 NAKs.
 The tcpdump shows this better than I'm describing:

 https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html

 Does that seem like normal operation to you?  Does this second dnsmasq
 assume this response is from a rogue server and NAKs since it didn't send
out
 the offer?


Hi Brian,

Second dnsmasq assume the client request is to another server and responds
with NAK in authoritative mode.
The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
check server id for anything but offer packet.
Bug is already fixed in bb 1.23.x, see commit
http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52 
http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52e588c0
 
e588c0

Best Regards, Vladislav Grishenko




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk 
mailto:Dnsmasq-discuss@lists.thekelleys.org.uk

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

2015-06-01 Thread Vladislav Grishenko

 On the surface it looks like it's either pointless behavior on the server's 
 part or incorrect logic in the DHCP client. Am I missing something?

Yes, without overriding serverid to one from incoming request packet, the 
server’s nak could be pointless.

But with overriding, it’ll introduce the same naking issue even with clients 
which were checking server id and ignoring naks from non-selected servers.

 

Dnsmasq starts to nak request from selecting clients in 2.46, see the story here

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q4/002476.html

Point of busybox’s udhcpc changes is described here

https://bugs.busybox.net/show_bug.cgi?id=4267

 

As for ISC DHCP, it’s known client ignores NAK from non-selected servers in 
SELECTING state.

As for server, it allow run-time control over weither or not a server, 
participating in failover, verifies server id option.

This commit contains the old and new descriptions

https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=7116a34fc9b1fb307bcdca22e6963254289ecb80
 

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com] 
Sent: Monday, June 01, 2015 5:15 PM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

Let me rephrase it slightly. What is the point of dnsmasq NAKing client 
responses to other servers if the clients are being programmed to ignore the 
NAKs? 

 

On the surface it looks like it's either pointless behavior on the server's 
part or incorrect logic in the DHCP client. Am I missing something?

 

On Mon, Jun 1, 2015 at 2:58 AM, Vladislav Grishenko themi...@mail.ru 
mailto:themi...@mail.ru  wrote:

Hi Kevin,

ы 

 why do DHCP servers like dnsmasq generate them in the first place?

Because it’s per dnsmasq configuration and the effects are well-described in 
the man. 

 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-K, --dhcp-authoritative

Should be set when dnsmasq is definitely the only DHCP server on a network. For 
DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP 
requests on unknown leases from unknown hosts are not ignored. This allows new 
hosts to get a lease without a tedious timeout under all circumstances. It also 
allows dnsmasq to rebuild its lease database without each client needing to 
reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in 
replies to 255 (the maximum) instead of 0 (the minimum).

 

you definitely have multiple dhcp servers, so this option is misused under your 
circumstances, not?

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com mailto:blak...@gmail.com ] 
Sent: Monday, June 01, 2015 2:02 PM


To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
mailto:dnsmasq-discuss@lists.thekelleys.org.uk 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

I understand, but that eliminates the whole 'correcting rouge dhcp offers' part 
of the authoritative mode. 

 

If we are teaching clients to ignore NAKs from other DHCP servers, why do DHCP 
servers like dnsmasq generate them in the first place? Wouldn't it be logically 
consistent to make a change to dnsmasq to prevent it from generating a NAK if 
the client is communicating with a different server?

 

Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It does 
seem like there is a lot of confusion around what authoritative servers should 
be doing.

 

On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko themi...@mail.ru 
mailto:themi...@mail.ru  wrote:

Hi Kevin,

Ignoring all naks – would be, but the fix is different.

That fix ignores all naks except from the selected/requested server only, it’s 
ok.

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com mailto:blak...@gmail.com ] 
Sent: Wednesday, May 27, 2015 9:32 AM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
mailto:dnsmasq-discuss@lists.thekelleys.org.uk 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

That fix is interesting. Doesn't ignoring a NAK sort of defeat the point of the 
'authoritative' NAKing in the first place?

 

On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko themi...@mail.ru 
mailto:themi...@mail.ru  wrote:

 On 02/02/2015 05:47 PM, Brian Haley wrote:
 
  The one thing I'm curious about is if dnsmasq is restarted while a
  VM holds a lease, how will it respond?  As someone else has
  pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
  case, and wondered why there would be a difference with dnsmasq.
  Different interpretation of an RFC?
 
 
  If by dnsmasq is restarted you mean dnsmasq is restarted and
  therefore has its lease database deleted, then the RFC says that if
  a server gets a renewal for an unknown

Re: [Dnsmasq-discuss] [PATCH] fix bug of FORMERR

2015-06-01 Thread Simon Kelley

Patch applied, also cleared AA bit.


Many thanks for this.


Cheers,

Simon.

On 27/05/15 20:41, swigger wrote:
 Signed-off-by: swigger swig...@gmail.com
 
 First, sorry for my poor English, hope you can read it.
 
 My openwrt router at 192.168.1.1 runs dnsmasq.
 There are two DNS ips set automaticly by my ISP.
 
 When resolving domain names, some times I get a FormErr.
 This is unusual, so I dig this and find a bug.
 
 When a request is sent to dnsmasq, it forwards to upper DNSs,
 and then , if dns-a replys a ServFail, dnsmasq just forwards
 to dns-b with value of byte 4(base index 1) is 0x82 (HB4_RA|ServFail).
 However, for a normal request, this byte should be 0x00 .
 My ISP's dns-b checks this field and replys a FormErr.
 
 Here is a proof by tcpdump:
 11:46:54.377146 IP 121.34.145.201.21657  202.96.134.133.53: 18075+ 
 [b23=0x182] A? jp.swigger.net. (32)
 0x:  4500 003c f027 4000 4011 eeb7 7922 91c9  E...'@.@...y..
 0x0010:  ca60 8685 5499 0035 0028 fbbe 469b 0182  .`..T..5.(..F...
 0x0020:  0001    026a 7007 7377 6967  .jp.swig
 0x0030:  6765 7203 6e65 7400 0001 0001ger.net.
 11:46:54.383814 IP 202.96.134.133.53  121.34.145.201.21657: 18075 FormErr 
 0/0/0 (32)
 0x:  4500 003c  4000 3b11 e3df ca60 8685  E@.;`..
 0x0010:  7922 91c9 0035 5499 0028 7bbf 469b 8181  y...5T..({.F...
 0x0020:  0001    026a 7007 7377 6967  .jp.swig
 0x0030:  6765 7203 6e65 7400 0001 0001ger.net.
 
 
 The solution is easy, just reset this field.
 
 See the following patch.
 
 ---
  src/forward.c | 1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/src/forward.c b/src/forward.c
 index 74e5ab6..5e14404 100644
 --- a/src/forward.c
 +++ b/src/forward.c
 @@ -770,6 +770,7 @@ void reply_query(int fd, int family, time_t now)
 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
   {
 header-hb3 = ~(HB3_QR | HB3_TC);
 +   header-hb4 = ~(HB4_RA | HB4_RCODE);
 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
 return;
   }
 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] format of lease database

2015-06-01 Thread Simon Kelley

On 27/05/15 05:34, Kevin Benton wrote:
 Hi,
 
 Is there a pointer to the format of the lease database somewhere? I'm
 interested in what the last column is used for. It looks like the MAC of
 the client with an extra hex pair at the front.

It's the DHCP client-id.

Cheers,

Simon.

 
 I just wanted to check if there is documentation somewhere before I did
 into the code to reverse the parsing code.
 
 
 Cheers
 
 
 
 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Unseen cache limit?

2015-06-01 Thread Robert Smith

Hi,

I wonder if there is some sort of internal limit on caching?

I set cache-size=5, restarted dnsmasq and the limit 
according to the caching service is 1

# kill -10 10150; tail -n5 /var/log/messages | egrep 'cache size'
Jun  1 19:18:41 dnsmasq1 dnsmasq[10150]: cache size 1, 0/2660
cache insertions re-used unexpired cache entries.

Thanks for your attention to this matter,
Robert


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Unseen cache limit?

2015-06-01 Thread Lonnie Abelbeck

Robert,

Looking at the code there is an upper limit of 1 for --cache-size

-- src/option.c --
case 'c':  /* --cache-size */
  {
int size;

if (!atoi_check(arg, size))
  ret_err(gen_err);
else
  {
/* zero is OK, and means no caching. */

if (size  0)
  size = 0;
else if (size  1)
  size = 1;

daemon-cachesize = size;
  }
break;
  }
--

I'm sure Simon has a good reason for that upper limit.  Possibly a cache-size 
of 50,000 is beyond the design goal of dnsmasq.

Lonnie



On Jun 1, 2015, at 6:21 PM, Robert Smith twopoin...@gmail.com wrote:

 Hi,
 
 I wonder if there is some sort of internal limit on caching?
 
 I set cache-size=5, restarted dnsmasq and the limit 
 according to the caching service is 1
 
 # kill -10 10150; tail -n5 /var/log/messages | egrep 'cache size'
 Jun  1 19:18:41 dnsmasq1 dnsmasq[10150]: cache size 1, 0/2660
 cache insertions re-used unexpired cache entries.
 
 Thanks for your attention to this matter,
 Robert
 
 
 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

Re: [Dnsmasq-discuss] [PATCH] fix bug of FORMERR

Re: [Dnsmasq-discuss] format of lease database

[Dnsmasq-discuss] Unseen cache limit?

Re: [Dnsmasq-discuss] Unseen cache limit?

10 matches

Site Navigation

Mail list logo

Footer information