Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges
On 03/01/2025 09:19, Nathan Mitchell wrote: That all said... I'd love to understand how your setup using dhcpcd differs from my setup within FreeBSD using rtsold to acquire the interface's ip. Does the usage of dhcpcd not mark the address as autoconfigured? Router advertisements aside, I feel like my big issue at the moment is getting an address, automatically, on the jail's interface that isn't considered "automatically configured", since that is the sticky point when it comes to dnsmasq's behavior regarding using a constructor in the dhcp-range command. Can you post the output of your interface's setup so I can compare it to the one I posted? This is the section from dhcpcd.conf: interface ppp0 ipv6rs ia_na 1 ia_pd 2 enp3s0/0 ia_pd 3 vlan0/0 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges
Buck, Thanks for this break down. If I'm following you correctly, some of this information I knew already... but I guess I'm a little lost on the intent of how these various parts (DHCPv6, DNS, SLAAC, LLA vs GUA) are intended to interact in real world network setups. By that I mean, if I was configuring a larger company intranet with IPv6, I'd expect I'd want to provide both internal (non-public) DNS for most nodes and globally accessible DNS for some others, including those that might get both. Is the intent in these setups to really not have a centralized DNS server with address/FQDN pairings? That all the internal clients simply use SLAAC and some form of DynDNS to inform the internal DNS server of their names? I mean, I can see that technically working but I also kind of hate the idea. It feels like barely controlled chaos with all the clients just doing their own thing and "centralized" services losing any of their authoritative position in the network. This is why I'm feeling kind of lost and frustrated here - I can see the value in a design that enables networks to quickly autoconfigure themselves like that, but that it's the only way to effectively do it feels very wrong. In any event, I can try what you're suggesting, but I don't like it. It seems overly complicated to require a secondary DNS server simply to handle the records. In my case, my router is set up to handle the RAs - configured to inform clients that both DHCP and SLAAC is available for address acquisition - precisely for supporting OSs like Android that won't use DHCPv6. That said, I'm not overly worried about these cases, as my primary concern at the moment is getting Linux machines properly addressed, which do support DHCPv6 instead of generally handling every potential node in my local network. On Fri, Jan 3, 2025 at 1:16 AM Buck Horn via Dnsmasq-discuss < dnsmasq-discuss@lists.thekelleys.org.uk> wrote: > On 03.01.25 05:32, Nathan Mitchell wrote: > > > dhcp-range=::A00:501,::A00:5FF,constructor:epair0b,64 > > (...) > > > > > Jan 2 20:11:31 dnsmasq-dhcp[11407]: DHCPv6, IP range ::10.0.5.1 > ::10.0.5.255, lease time 1h, template for epair0b > > > Is that actual log output? > > That seems off somehow, showing IPv4s for a DHCPv6 range, together with > a lease time of 1h, where dhcp-range would default to 1 day for IPv6. > > > > 2) I'd like to have local DNS that contains both A and entries for > the > > IPv4 and IPv6 addresses on the LAN network. To my understanding, this > > eliminates the options of running SLAAC or stateless DHCP. > > (...) > > > Your 2) won't happen, at least not in the way you seem to aspire. > > For once, LLAs (fe80::/10) are always auto-assigned, with DHPCv6 > requiring clients to use their already existing LLA during DHCP server > discovery (RFC 8415, section 5). And IPv6 GUAs (range 2000::/3) are > public addresses, i.e. DNS entries for them can be expected to be > handled by public authoritative DNS servers, administered by your ISP - > typically, those names would then just be some sort of generic textual > representation of IPv6 addresses. > > That would leave ULAs (fd00::/8), but even if your router would support > those and you'd manage to hand out stateful DHCPv6 addresses and assign > local names to them: > Most modern OSs would use temporary IPv6 addresses (RFC 8981) for > outbound public communications, and they'd create those in addition to > DHCPv6 ones, i.e. your network's clients likely won't hardly ever opt to > use their DHCPv6 assigned address. > > And you should be aware that IPv6 address assignment via NDP/SLAAC is > probably the only option that would allow any arbitrary client to > acquire an IPv6 address, as there are OSs that won't support DHCPv6 at > all, Android being the prime example here. > > It's also worth noting that RAs are a router's job. Even if you > configure your (non-router) dnsmasq instance to assign DHCPv6 addresses, > it is your router that is in control of allowed address assignment > options for your network, i.e. clients may end up with SLAAC as well as > DHPCv6 and temporary IPv6 adresses for their routable address scopes. > > But there may be a way to at least partially achieve what you want: > Does your router run a DNS server? > If so, your router probably is your best chance for local resolution. > > You should be able to verify that via respective reverse lookups > directed at your router, e.g. > >dig -x fe80:: @ > > where you substitute brackets with appropriate values. > > If that would return a hostname as expected, you could then have dnsmasq > forward local domains and IPv6 reverse lookups to your router, via > dnsmasq's *local* and *rev-server* options. > > > Kind regards, > Buck > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___
Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges
Thanks Robert, I don't think the setup you're describing fits my situation. In particular, if I understand things correctly, usage of the router advertisement mode isn't correct if the node in question (my intended DHCP server host) isn't a router. For my network, I have a separate router node (specifically a PFSense box) that's receiving the initial prefix delegation from the ISP and providing the LAN's RAs. While it technically *can* run a DHCPv6 server in addition to handling the RAs, I didn't want to do this for two reasons: 1) I already had a fairly detailed setup of DNS/IP assignments on my legacy IPv4 configured dnsmasq server and 2) the PFSense interface didn't make it seem very easy to setup and manage a similar configuration. So my hope was to split the responsibility (which seems within spec, as far as I can tell from reading RFC documentation) between two nodes - one, a router, handling the RAs and one, a non-router, handling the DHCP assignments. That all said... I'd love to understand how your setup using dhcpcd differs from my setup within FreeBSD using rtsold to acquire the interface's ip. Does the usage of dhcpcd not mark the address as autoconfigured? Router advertisements aside, I feel like my big issue at the moment is getting an address, automatically, on the jail's interface that isn't considered "automatically configured", since that is the sticky point when it comes to dnsmasq's behavior regarding using a constructor in the dhcp-range command. Can you post the output of your interface's setup so I can compare it to the one I posted? As for the ISP issue yeah. That's becoming pretty annoying. It's "static enough" I suppose, in the sense that it's not changing every few hours... but it's changing often enough that I don't really want to reconfigure stuff each time. Particularly since I've been trying to do things like host software for my friends (notably a roleplaying virtual tabletop server). In theory, having the ISP provide globally routable IPs is great - get things configured, set the IP up with my external DNS provider and all is good... only then the prefix changes a few days later and everything breaks until I go around updating things. Getting my local network under control with a potentially changing prefix is step one in wrangling this - once I can consistently reference internal addresses by internal DNS for the local firewall, I can start looking into DynDNS for my external domain updates... -- Nathan On Fri, Jan 3, 2025 at 12:39 AM Robert Sharp wrote: > > On 03/01/2025 04:32, Nathan Mitchell wrote: > > Is there a way I can accomplish this with dnsmasq? Or am I running > > into a fundamental design issue with the IPv6 architecture where I'm > > not supposed to do this? And if so, what is the replacement for the > > way things worked before in IPv4 land? Because this doesn't seem too > > crazy to want to do in my mind. > > > > Thanks! > >-- Nathan > > Hi Nathan, > > I think that I have this working fine with the following: > > # IPv6 stuff > enable-ra > > dhcp-range=::FF,::400,constructor:enp3s0,ra-names,24h > dhcp-range=vlan0@enp3s0,::2,::400,constructor:vlan0,ra-names,24h > > dhcp-host=fc:ab:13:c8:90:3e,server,[::5] > dhcp-host=... > > I use dhcpcd to obtain and delegate a prefix to each interface and > dnsmasq hands out addresses to the lan and vlan and resolves names for > my server(s). Everything has been working fine for a long time now but > it took quite a bit of fiddling to get it working. > > Interesting that your ISP only provides dynamic prefixes. I thought the > whole point of IPv6 was to provide an address space large enough to > avoid that. Perhaps they are charging more for static addresses? I have > a static /48 prefix from my ISP which is just great for the 6 trillion > devices on my network. But I have been careful not to hard-wire the > static address into anything so it could be dynamic for all I care. > > Robert > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges
On 03.01.25 05:32, Nathan Mitchell wrote: > dhcp-range=::A00:501,::A00:5FF,constructor:epair0b,64 (...) > Jan 2 20:11:31 dnsmasq-dhcp[11407]: DHCPv6, IP range ::10.0.5.1 ::10.0.5.255, lease time 1h, template for epair0b Is that actual log output? That seems off somehow, showing IPv4s for a DHCPv6 range, together with a lease time of 1h, where dhcp-range would default to 1 day for IPv6. 2) I'd like to have local DNS that contains both A and entries for the IPv4 and IPv6 addresses on the LAN network. To my understanding, this eliminates the options of running SLAAC or stateless DHCP. (...) Your 2) won't happen, at least not in the way you seem to aspire. For once, LLAs (fe80::/10) are always auto-assigned, with DHPCv6 requiring clients to use their already existing LLA during DHCP server discovery (RFC 8415, section 5). And IPv6 GUAs (range 2000::/3) are public addresses, i.e. DNS entries for them can be expected to be handled by public authoritative DNS servers, administered by your ISP - typically, those names would then just be some sort of generic textual representation of IPv6 addresses. That would leave ULAs (fd00::/8), but even if your router would support those and you'd manage to hand out stateful DHCPv6 addresses and assign local names to them: Most modern OSs would use temporary IPv6 addresses (RFC 8981) for outbound public communications, and they'd create those in addition to DHCPv6 ones, i.e. your network's clients likely won't hardly ever opt to use their DHCPv6 assigned address. And you should be aware that IPv6 address assignment via NDP/SLAAC is probably the only option that would allow any arbitrary client to acquire an IPv6 address, as there are OSs that won't support DHCPv6 at all, Android being the prime example here. It's also worth noting that RAs are a router's job. Even if you configure your (non-router) dnsmasq instance to assign DHCPv6 addresses, it is your router that is in control of allowed address assignment options for your network, i.e. clients may end up with SLAAC as well as DHPCv6 and temporary IPv6 adresses for their routable address scopes. But there may be a way to at least partially achieve what you want: Does your router run a DNS server? If so, your router probably is your best chance for local resolution. You should be able to verify that via respective reverse lookups directed at your router, e.g. dig -x fe80:: @ where you substitute brackets with appropriate values. If that would return a hostname as expected, you could then have dnsmasq forward local domains and IPv6 reverse lookups to your router, via dnsmasq's *local* and *rev-server* options. Kind regards, Buck ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges
On 03/01/2025 04:32, Nathan Mitchell wrote: Is there a way I can accomplish this with dnsmasq? Or am I running into a fundamental design issue with the IPv6 architecture where I'm not supposed to do this? And if so, what is the replacement for the way things worked before in IPv4 land? Because this doesn't seem too crazy to want to do in my mind. Thanks! -- Nathan Hi Nathan, I think that I have this working fine with the following: # IPv6 stuff enable-ra dhcp-range=::FF,::400,constructor:enp3s0,ra-names,24h dhcp-range=vlan0@enp3s0,::2,::400,constructor:vlan0,ra-names,24h dhcp-host=fc:ab:13:c8:90:3e,server,[::5] dhcp-host=... I use dhcpcd to obtain and delegate a prefix to each interface and dnsmasq hands out addresses to the lan and vlan and resolves names for my server(s). Everything has been working fine for a long time now but it took quite a bit of fiddling to get it working. Interesting that your ISP only provides dynamic prefixes. I thought the whole point of IPv6 was to provide an address space large enough to avoid that. Perhaps they are charging more for static addresses? I have a static /48 prefix from my ISP which is just great for the 6 trillion devices on my network. But I have been careful not to hard-wire the static address into anything so it could be dynamic for all I care. Robert ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss