Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
On Fri, May 17, 2019 at 2:13 PM Stuart Henderson wrote: > On 2019/05/16 23:37, Rachel Roch wrote: > > > RFC3513 says this: > > > > > > o An anycast address must not be used as the source address of > > > an IPv6 packet. > > > > > > o An anycast address must not be assigned to an IPv6 host, that > > > is, it may be assigned to an IPv6 router only. > > > > > > And to help ensure this, the kernel denies binding to an address marked > > > with the anycast flag (see netinet6/in6_pcb.c). > > > > > > This was obsoleted by RFC4291, including this change: > > > > > > o The restrictions on using IPv6 anycast addresses were removed because > > > there is now sufficient experience with the use of anycast addresses, > > > the issues are not specific to IPv6, and the GROW working group is > > > working in this area. > > > > > > So I think this restriction can now be removed, at least with this > > > change, but more might be needed > > > > Certainly in my case the current OpenBSD situation represents a bit too > > much "nanny knows best". > > No, it represents "following the (old) RFCs". patches welcome, indeed the openbsd behaviour is adhering to now-outdated standards. > > My use-case is anycast DNS with NSD and Unbound. > > > > Both NSD and unbound provide config parameters that allow distinguishing > > between listen address and source address. > > > > But then again, is there any real reason to use the anycast flag ? To make > > NSD and unbound work I reconfigured to remove the anycast flag from IPv6 > > addresses and nothing seems broken ? > > > If you are doing a typical "internet anycast services" setup with some > routing protocol announcing the anycasted address then I don't see a use > for the flag, AFAICT it was mostly in conjunction with using an anycast > address for a local router, it feels like the usual IPv6 overengineering > to me.. Overengineering or not, there is no reason to disallow binding to interfaces which have the ANYCAST flag set. Kind regards, Job
Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
To chime in here, how I have always implemented Anycast DNS is by creating additional Loopback adapters in the OS, and then using BGP or OSPF to distribute said Loopback IPs into a routing table. Each DNS server participating in Anycast would have the same IPv4 and IPv6 address configured on that loopback adapter. e.g: /etc/hostname.lo1: inet 192.0.2.53/32 inet6 2001:db8:dead:beef::53/128 /etc/ospfd.conf and /etc/ospf6d.conf: router-id 192.0.2.53 fib-update no stub router yes auth-type crypt auth-md 1 "mysecretkey" auth-md-keyid 1 area 0.0.0.0 { interface em0 interface lo1 { passive } } Aside from that, I also believe that if you are going by the old RFCs The "0" address is reserved as the anycast, so you would have to use 2001:db8:dead:beef::/128 in that case. On Fri, May 17, 2019 at 8:21 AM Stuart Henderson wrote: > > On 2019/05/16 23:37, Rachel Roch wrote: > > > > > > > RFC3513 says this: > > > > > > o An anycast address must not be used as the source address of > > > an IPv6 packet. > > > > > > o An anycast address must not be assigned to an IPv6 host, that > > > is, it may be assigned to an IPv6 router only. > > > > > > And to help ensure this, the kernel denies binding to an address marked > > > with the anycast flag (see netinet6/in6_pcb.c). > > > > > > This was obsoleted by RFC4291, including this change: > > > > > > o The restrictions on using IPv6 anycast addresses were removed because > > > there is now sufficient experience with the use of anycast addresses, > > > the issues are not specific to IPv6, and the GROW working group is > > > working in this area. > > > > > > So I think this restriction can now be removed, at least with this > > > change, but more might be needed > > > > > > > Certainly in my case the current OpenBSD situation represents a bit too > > much "nanny knows best". > > No, it represents "following the (old) RFCs". > > > My use-case is anycast DNS with NSD and Unbound. > > > > Both NSD and unbound provide config parameters that allow distinguishing > > between listen address and source address. > > > > But then again, is there any real reason to use the anycast flag ? To make > > NSD and unbound work I reconfigured to remove the anycast flag from IPv6 > > addresses and nothing seems broken ? > > > > If you are doing a typical "internet anycast services" setup with some > routing protocol announcing the anycasted address then I don't see a use > for the flag, AFAICT it was mostly in conjunction with using an anycast > address for a local router, it feels like the usual IPv6 overengineering > to me.. >
Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
On 2019/05/16 23:37, Rachel Roch wrote: > > > > RFC3513 says this: > > > > o An anycast address must not be used as the source address of > > an IPv6 packet. > > > > o An anycast address must not be assigned to an IPv6 host, that > > is, it may be assigned to an IPv6 router only. > > > > And to help ensure this, the kernel denies binding to an address marked > > with the anycast flag (see netinet6/in6_pcb.c). > > > > This was obsoleted by RFC4291, including this change: > > > > o The restrictions on using IPv6 anycast addresses were removed because > > there is now sufficient experience with the use of anycast addresses, > > the issues are not specific to IPv6, and the GROW working group is > > working in this area. > > > > So I think this restriction can now be removed, at least with this > > change, but more might be needed > > > > Certainly in my case the current OpenBSD situation represents a bit too much > "nanny knows best". No, it represents "following the (old) RFCs". > My use-case is anycast DNS with NSD and Unbound. > > Both NSD and unbound provide config parameters that allow distinguishing > between listen address and source address. > > But then again, is there any real reason to use the anycast flag ? To make > NSD and unbound work I reconfigured to remove the anycast flag from IPv6 > addresses and nothing seems broken ? > If you are doing a typical "internet anycast services" setup with some routing protocol announcing the anycasted address then I don't see a use for the flag, AFAICT it was mostly in conjunction with using an anycast address for a local router, it feels like the usual IPv6 overengineering to me..
Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
> RFC3513 says this: > > o An anycast address must not be used as the source address of > an IPv6 packet. > > o An anycast address must not be assigned to an IPv6 host, that > is, it may be assigned to an IPv6 router only. > > And to help ensure this, the kernel denies binding to an address marked > with the anycast flag (see netinet6/in6_pcb.c). > > This was obsoleted by RFC4291, including this change: > > o The restrictions on using IPv6 anycast addresses were removed because > there is now sufficient experience with the use of anycast addresses, > the issues are not specific to IPv6, and the GROW working group is > working in this area. > > So I think this restriction can now be removed, at least with this > change, but more might be needed > Certainly in my case the current OpenBSD situation represents a bit too much "nanny knows best". My use-case is anycast DNS with NSD and Unbound. Both NSD and unbound provide config parameters that allow distinguishing between listen address and source address. But then again, is there any real reason to use the anycast flag ? To make NSD and unbound work I reconfigured to remove the anycast flag from IPv6 addresses and nothing seems broken ?
Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
(moving from misc to tech) On 2019-05-11, Rachel Roch wrote: > I'm still learning IPv6 intricacies, so forgive me if this is a silly > question. > > When I have interfaces set in the standard manner, e.g.: > > inet6 2001:DB8:beef::1 128 > up > > NSD and Unbound will bind to that address without problem. > > However if I add the anycast flag: > inet6 2001:DB8:beef::1 128 anycast > up > > and then destroy and re-create the interfaces and pkill and relaunch unbound > and NSD, they both complain bitterly: > > [2019-05-11 21:00:51.665] nsd[43360]: notice: nsd starting (NSD 4.1.27) > [2019-05-11 21:00:51.666] nsd[43360]: error: can't bind udp socket: Can't > assign requested address > [2019-05-11 21:00:51.666] nsd[43360]: error: server initialization failed, > nsd could not be started > [1557604863] unbound[69433:0] error: can't bind socket: Can't assign > requested address for 2001:DB8:beef::1 port 53[1557604863] unbound[69433:0] > fatal error: could not open ports > > The interface shows correctly in ifconfig so I don't know what the problem is > ? > > This is on OpenBSD 6.5 if it makes any difference. > > RFC3513 says this: o An anycast address must not be used as the source address of an IPv6 packet. o An anycast address must not be assigned to an IPv6 host, that is, it may be assigned to an IPv6 router only. And to help ensure this, the kernel denies binding to an address marked with the anycast flag (see netinet6/in6_pcb.c). This was obsoleted by RFC4291, including this change: o The restrictions on using IPv6 anycast addresses were removed because there is now sufficient experience with the use of anycast addresses, the issues are not specific to IPv6, and the GROW working group is working in this area. So I think this restriction can now be removed, at least with this change, but more might be needed. Index: in6_pcb.c === RCS file: /cvs/src/sys/netinet6/in6_pcb.c,v retrieving revision 1.108 diff -u -p -r1.108 in6_pcb.c --- in6_pcb.c 4 Oct 2018 17:33:41 - 1.108 +++ in6_pcb.c 13 May 2019 07:28:02 - @@ -185,10 +185,6 @@ in6_pcbaddrisavail(struct inpcb *inp, st sin6->sin6_port = lport; /* -* bind to an anycast address might accidentally -* cause sending a packet with an anycast source -* address, so we forbid it. -* * We should allow to bind to a deprecated address, * since the application dare to use it. * But, can we assume that they are careful enough @@ -197,8 +193,8 @@ in6_pcbaddrisavail(struct inpcb *inp, st * flag to control the bind(2) behavior against * deprecated addresses (default: forbid bind(2)). */ - if (ifa && ifatoia6(ifa)->ia6_flags & (IN6_IFF_ANYCAST| - IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED|IN6_IFF_DETACHED)) + if (ifa && ifatoia6(ifa)->ia6_flags & (IN6_IFF_TENTATIVE| + IN6_IFF_DUPLICATED|IN6_IFF_DETACHED)) return (EADDRNOTAVAIL); } if (lport) {
NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
I'm still learning IPv6 intricacies, so forgive me if this is a silly question. When I have interfaces set in the standard manner, e.g.: inet6 2001:DB8:beef::1 128 up NSD and Unbound will bind to that address without problem. However if I add the anycast flag: inet6 2001:DB8:beef::1 128 anycast up and then destroy and re-create the interfaces and pkill and relaunch unbound and NSD, they both complain bitterly: [2019-05-11 21:00:51.665] nsd[43360]: notice: nsd starting (NSD 4.1.27) [2019-05-11 21:00:51.666] nsd[43360]: error: can't bind udp socket: Can't assign requested address [2019-05-11 21:00:51.666] nsd[43360]: error: server initialization failed, nsd could not be started [1557604863] unbound[69433:0] error: can't bind socket: Can't assign requested address for 2001:DB8:beef::1 port 53[1557604863] unbound[69433:0] fatal error: could not open ports The interface shows correctly in ifconfig so I don't know what the problem is ? This is on OpenBSD 6.5 if it makes any difference.