search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.64k stars 904 forks source link

Feature Request: local-address statement accepts IPv6 Token. #12720

Open PickleG opened 1 year ago

PickleG commented 1 year ago

Short description

Extend the local-address statement to accept IPv6 Token format; ie: static:::42 or Provide some method to lock down the local-address when only the host bits of IPv6 address are known; due to changing IPv6 Prefix addressing.

Usecase

I have a ISP that issues IPv6 addresses via DHCP6 Prefix delegation (static /56; prefix delegation issued /59's). The ISP router that issues the IPv6 Prefix is sometimes rebooted by the ISP and becomes forgetful of which part of the /56 it issued last. Thus the IPv6 address space I use for servers changes from time to time without notice.

My Internal router is configured to get it's IPv6 addresses via a combination of ULA and Prefix delegation; which in turn advertises IPv6 prefixes to my servers.

*** Ubuntu server 22.04 running powerdns authoritive and powerdns recursive on port 53 via multiple IP addresses. /etc/systemd/network/eth0.network [Match] Name=eth0

[Network] Address=10.99.99.41/24 Address=10.99.99.42/24 Address=fd00:7ac0:face::41/64 Address=fd00:7ac0:face::42/64 IPv6AcceptRA=True IPv6Token=static:::41 IPv6Token=static:::42 Gateway=10.99.99.1 DNS=10.99.99.31 DNS=10.99.99.41

ip addr list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether e4:5f:01:69:ad:8a brd ff:ff:ff:ff:ff:ff inet 10.99.99.41/24 brd 10.20.10.255 scope global eth0 valid_lft forever preferred_lft forever inet 10.99.99.42/24 brd 10.20.10.255 scope global secondary eth0 valid_lft forever preferred_lft forever inet 10.99.99.43/24 brd 10.20.10.255 scope global secondary eth0:0 valid_lft forever preferred_lft forever inet6 2609:3091:1901:2c7::42/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 7117sec preferred_lft 4417sec inet6 2609:3091:1901:2c7::43/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 7117sec preferred_lft 4417sec inet6 2609:3091:1901:2c7::41/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 7117sec preferred_lft 4417sec inet6 fd00:7ac0:face::42/64 scope global valid_lft forever preferred_lft forever inet6 fd00:7ac0:face::41/64 scope global valid_lft forever preferred_lft forever inet6 fe80::e65f:1ff:fe69:ad8a/64 scope link valid_lft forever preferred_lft forever

Description

Code local-address to accept Token format [::42] or [static:::42] or [dynamic::42] and listen/query on one of the IPv6 dynamic addresses that matches the statement.

Perhaps non-local-bind may be required for this to work.

Note that on a linux system (example Ubuntu server 22.04), Token IPv6 addesses have the 'dynamic' and 'mngtmpaddr' flags.

Habbie commented 6 months ago

Is this Token format defined somewhere, in some standard perhaps?

PickleG commented 6 months ago

In those applications that accept a prefix defined by the network. where the host bits can be influenced, the format is generally in the form of double colon followed by an IPv6 wildcard. ie: ::1 or ::101:0:0:1 But this is in a field that expects a wildcard format. Otherwise ::1 would be interpreted as localhost :1. Hence the unique format of Linux that has keywords before the wildcard; static:::41. My cisco router uses the format ipv6 address ::<wildcard/64; ipv6 address comcast-pd ::1/64

These are all used to configured an interface. In the case of powerdns, the address is already present, and powerdns would have to find and lock onto the address. and further more, cycle around periodically and determine if the IPv6 address has changed. PowerDNS would also likely have to have it's own keywords.. to limit the IPv6 search. ie: ULA versus Global IPs. I'm using ULA IPs that will never change, and I have to adjust for changes to global IPs.

In my case, I'm running PowerDNS authoritive, PowerDNS recursor, and Pi-Hole on the same OS, each process on port 53, each on a different IP. It works well, but when my upstream ISP changes my IPv6 DHCP prefix delegation.. I have to manually edit the pdns.conf and the pdns-recursor.conf files to adjust their global IPv6 addresses.

Habbie commented 6 months ago

Are you aware of software other than systemd-networkd that supports this? Does pi-hole? A few examples would be helpful.