Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges

2025-01-03 Thread Robert Sharp


On 03/01/2025 09:19, Nathan Mitchell wrote:
That all said... I'd love to understand how your setup using dhcpcd 
differs from my setup within FreeBSD using rtsold to acquire the 
interface's ip. Does the usage of dhcpcd not mark the address as 
autoconfigured? Router advertisements aside, I feel like my big issue 
at the moment is getting an address, automatically, on the jail's 
interface that isn't considered "automatically configured", since that 
is the sticky point when it comes to dnsmasq's behavior regarding 
using a constructor in the dhcp-range command. Can you post the output 
of your interface's setup so I can compare it to the one I posted?



This is the section from dhcpcd.conf:

interface ppp0
    ipv6rs
    ia_na 1
    ia_pd 2 enp3s0/0
    ia_pd 3 vlan0/0



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges

2025-01-03 Thread Nathan Mitchell
Buck,

Thanks for this break down. If I'm following you correctly, some of this
information I knew already... but I guess I'm a little lost on the intent
of how these various parts (DHCPv6, DNS, SLAAC, LLA vs GUA) are intended to
interact in real world network setups. By that I mean, if I was configuring
a larger company intranet with IPv6, I'd expect I'd want to provide both
internal (non-public) DNS for most nodes and globally accessible DNS for
some others, including those that might get both.

Is the intent in these setups to really not have a centralized DNS server
with address/FQDN pairings? That all the internal clients simply use SLAAC
and some form of DynDNS to inform the internal DNS server of their names? I
mean, I can see that technically working but I also kind of hate the idea.
It feels like barely controlled chaos with all the clients just doing their
own thing and "centralized" services losing any of their authoritative
position in the network. This is why I'm feeling kind of lost and
frustrated here - I can see the value in a design that enables networks to
quickly autoconfigure themselves like that, but that it's the only way to
effectively do it feels very wrong.

In any event, I can try what you're suggesting, but I don't like it. It
seems overly complicated to require a secondary DNS server simply to handle
the  records.

In my case, my router is set up to handle the RAs - configured to inform
clients that both DHCP and SLAAC is available for address acquisition -
precisely for supporting OSs like Android that won't use DHCPv6. That said,
I'm not overly worried about these cases, as my primary concern at the
moment is getting Linux machines properly addressed, which do support
DHCPv6 instead of generally handling every potential node in my local
network.

On Fri, Jan 3, 2025 at 1:16 AM Buck Horn via Dnsmasq-discuss <
dnsmasq-discuss@lists.thekelleys.org.uk> wrote:

> On 03.01.25 05:32, Nathan Mitchell wrote:
> > > dhcp-range=::A00:501,::A00:5FF,constructor:epair0b,64
> > (...)
> >
> > > Jan  2 20:11:31 dnsmasq-dhcp[11407]: DHCPv6, IP range ::10.0.5.1
> ::10.0.5.255, lease time 1h, template for epair0b
>
>
> Is that actual log output?
>
> That seems off somehow, showing IPv4s for a DHCPv6 range, together with
> a lease time of 1h, where dhcp-range would default to 1 day for IPv6.
>
>
> > 2) I'd like to have local DNS that contains both A and  entries for
> the
> > IPv4 and IPv6 addresses on the LAN network. To my understanding, this
> > eliminates the options of running SLAAC or stateless DHCP.
> > (...)
>
>
> Your 2) won't happen, at least not in the way you seem to aspire.
>
> For once, LLAs (fe80::/10) are always auto-assigned, with DHPCv6
> requiring clients to use their already existing LLA during DHCP server
> discovery (RFC 8415, section 5). And IPv6 GUAs (range 2000::/3) are
> public addresses, i.e. DNS entries for them can be expected to be
> handled by public authoritative DNS servers, administered by your ISP -
> typically, those names would then just be some sort of generic textual
> representation of IPv6 addresses.
>
> That would leave ULAs (fd00::/8), but even if your router would support
> those and you'd manage to hand out stateful DHCPv6 addresses and assign
> local names to them:
> Most modern OSs would use temporary IPv6 addresses (RFC 8981) for
> outbound public communications, and they'd create those in addition to
> DHCPv6 ones, i.e. your network's clients likely won't hardly ever opt to
> use their DHCPv6 assigned address.
>
> And you should be aware that IPv6 address assignment via NDP/SLAAC is
> probably the only option that would allow any arbitrary client to
> acquire an IPv6 address, as there are OSs that won't support DHCPv6 at
> all, Android being the prime example here.
>
> It's also worth noting that RAs are a router's job. Even if you
> configure your (non-router) dnsmasq instance to assign DHCPv6 addresses,
> it is your router that is in control of allowed address assignment
> options for your network, i.e. clients may end up with SLAAC as well as
> DHPCv6 and temporary IPv6 adresses for their routable address scopes.
>
> But there may be a way to at least partially achieve what you want:
> Does your router run a DNS server?
> If so, your router probably is your best chance for local  resolution.
>
> You should be able to verify that via respective reverse lookups
> directed at your router, e.g.
>
>dig -x fe80:: @
>
> where you substitute brackets with appropriate values.
>
> If that would return a hostname as expected, you could then have dnsmasq
> forward local domains and IPv6 reverse lookups to your router, via
> dnsmasq's *local* and *rev-server* options.
>
>
> Kind regards,
>  Buck
>
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
___

Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges

2025-01-03 Thread Nathan Mitchell
Thanks Robert,

I don't think the setup you're describing fits my situation. In particular,
if I understand things correctly, usage of the router advertisement mode
isn't correct if the node in question (my intended DHCP server host) isn't
a router. For my network, I have a separate router node (specifically a
PFSense box) that's receiving the initial prefix delegation from the ISP
and providing the LAN's RAs. While it technically *can* run a DHCPv6 server
in addition to handling the RAs, I didn't want to do this for two reasons:
1) I already had a fairly detailed setup of DNS/IP assignments on my legacy
IPv4 configured dnsmasq server and 2) the PFSense interface didn't make it
seem very easy to setup and manage a similar configuration.

So my hope was to split the responsibility (which seems within spec, as far
as I can tell from reading RFC documentation) between two nodes - one, a
router, handling the RAs and one, a non-router, handling the DHCP
assignments.

That all said... I'd love to understand how your setup using dhcpcd differs
from my setup within FreeBSD using rtsold to acquire the interface's ip.
Does the usage of dhcpcd not mark the address as autoconfigured? Router
advertisements aside, I feel like my big issue at the moment is getting an
address, automatically, on the jail's interface that isn't considered
"automatically configured", since that is the sticky point when it comes to
dnsmasq's behavior regarding using a constructor in the dhcp-range command.
Can you post the output of your interface's setup so I can compare it to
the one I posted?

As for the ISP issue yeah. That's becoming pretty annoying. It's
"static enough" I suppose, in the sense that it's not changing every few
hours... but it's changing often enough that I don't really want to
reconfigure stuff each time. Particularly since I've been trying to do
things like host software for my friends (notably a roleplaying virtual
tabletop server). In theory, having the ISP provide globally routable IPs
is great - get things configured, set the IP up with my external DNS
provider and all is good... only then the prefix changes a few days later
and everything breaks until I go around updating things. Getting my local
network under control with a potentially changing prefix is step one in
wrangling this - once I can consistently reference internal addresses by
internal DNS for the local firewall, I can start looking into DynDNS for my
external domain updates...

 -- Nathan

On Fri, Jan 3, 2025 at 12:39 AM Robert Sharp 
wrote:

>
> On 03/01/2025 04:32, Nathan Mitchell wrote:
> > Is there a way I can accomplish this with dnsmasq? Or am I running
> > into a fundamental design issue with the IPv6 architecture where I'm
> > not supposed to do this? And if so, what is the replacement for the
> > way things worked before in IPv4 land? Because this doesn't seem too
> > crazy to want to do in my mind.
> >
> > Thanks!
> >-- Nathan
>
> Hi Nathan,
>
> I think that I have this working fine with the following:
>
> # IPv6 stuff
> enable-ra
>
> dhcp-range=::FF,::400,constructor:enp3s0,ra-names,24h
> dhcp-range=vlan0@enp3s0,::2,::400,constructor:vlan0,ra-names,24h
>
> dhcp-host=fc:ab:13:c8:90:3e,server,[::5]
> dhcp-host=...
>
> I use dhcpcd to obtain and delegate a prefix to each interface and
> dnsmasq hands out addresses to the lan and vlan and resolves names for
> my server(s). Everything has been working fine for a long time now but
> it took quite a bit of fiddling to get it working.
>
> Interesting that your ISP only provides dynamic prefixes. I thought the
> whole point of IPv6 was to provide an address space large enough to
> avoid that. Perhaps they are charging more for static addresses? I have
> a static /48 prefix from my ISP which is just great for the 6 trillion
> devices on my network. But I have been careful not to hard-wire the
> static address into anything so it could be dynamic for all I care.
>
> Robert
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges

2025-01-03 Thread Buck Horn via Dnsmasq-discuss

On 03.01.25 05:32, Nathan Mitchell wrote:

> dhcp-range=::A00:501,::A00:5FF,constructor:epair0b,64
(...)

> Jan  2 20:11:31 dnsmasq-dhcp[11407]: DHCPv6, IP range ::10.0.5.1 
::10.0.5.255, lease time 1h, template for epair0b



Is that actual log output?

That seems off somehow, showing IPv4s for a DHCPv6 range, together with
a lease time of 1h, where dhcp-range would default to 1 day for IPv6.



2) I'd like to have local DNS that contains both A and  entries for the
IPv4 and IPv6 addresses on the LAN network. To my understanding, this
eliminates the options of running SLAAC or stateless DHCP.
(...)



Your 2) won't happen, at least not in the way you seem to aspire.

For once, LLAs (fe80::/10) are always auto-assigned, with DHPCv6
requiring clients to use their already existing LLA during DHCP server
discovery (RFC 8415, section 5). And IPv6 GUAs (range 2000::/3) are
public addresses, i.e. DNS entries for them can be expected to be
handled by public authoritative DNS servers, administered by your ISP -
typically, those names would then just be some sort of generic textual
representation of IPv6 addresses.

That would leave ULAs (fd00::/8), but even if your router would support
those and you'd manage to hand out stateful DHCPv6 addresses and assign
local names to them:
Most modern OSs would use temporary IPv6 addresses (RFC 8981) for
outbound public communications, and they'd create those in addition to
DHCPv6 ones, i.e. your network's clients likely won't hardly ever opt to
use their DHCPv6 assigned address.

And you should be aware that IPv6 address assignment via NDP/SLAAC is
probably the only option that would allow any arbitrary client to
acquire an IPv6 address, as there are OSs that won't support DHCPv6 at
all, Android being the prime example here.

It's also worth noting that RAs are a router's job. Even if you
configure your (non-router) dnsmasq instance to assign DHCPv6 addresses,
it is your router that is in control of allowed address assignment
options for your network, i.e. clients may end up with SLAAC as well as
DHPCv6 and temporary IPv6 adresses for their routable address scopes.

But there may be a way to at least partially achieve what you want:
Does your router run a DNS server?
If so, your router probably is your best chance for local  resolution.

You should be able to verify that via respective reverse lookups
directed at your router, e.g.

  dig -x fe80:: @

where you substitute brackets with appropriate values.

If that would return a hostname as expected, you could then have dnsmasq
forward local domains and IPv6 reverse lookups to your router, via
dnsmasq's *local* and *rev-server* options.


Kind regards,
    Buck



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss


Re: [Dnsmasq-discuss] Trying to work out correct configuration for dynamic prefix delegation and constructed ranges

2025-01-03 Thread Robert Sharp


On 03/01/2025 04:32, Nathan Mitchell wrote:
Is there a way I can accomplish this with dnsmasq? Or am I running 
into a fundamental design issue with the IPv6 architecture where I'm 
not supposed to do this? And if so, what is the replacement for the 
way things worked before in IPv4 land? Because this doesn't seem too 
crazy to want to do in my mind.


Thanks!
   -- Nathan


Hi Nathan,

I think that I have this working fine with the following:

# IPv6 stuff
enable-ra

dhcp-range=::FF,::400,constructor:enp3s0,ra-names,24h
dhcp-range=vlan0@enp3s0,::2,::400,constructor:vlan0,ra-names,24h

dhcp-host=fc:ab:13:c8:90:3e,server,[::5]
dhcp-host=...

I use dhcpcd to obtain and delegate a prefix to each interface and 
dnsmasq hands out addresses to the lan and vlan and resolves names for 
my server(s). Everything has been working fine for a long time now but 
it took quite a bit of fiddling to get it working.


Interesting that your ISP only provides dynamic prefixes. I thought the 
whole point of IPv6 was to provide an address space large enough to 
avoid that. Perhaps they are charging more for static addresses? I have 
a static /48 prefix from my ISP which is just great for the 6 trillion 
devices on my network. But I have been careful not to hard-wire the 
static address into anything so it could be dynamic for all I care.


Robert


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss