dyndns_update and IPv6 SLAAC address

[ChristophHannappel]

Hello,

i found an issue or feature request for the dyndns_update when using IPv6 Stateless Address Autoconfiguration (SLAAC) on clients and with an active dyndns_update. I'm using a FreeIPA Server on Fedora Server 33 and some Fedora 34 and Ubuntu 20.04 Clients. When a client gets its IPv6 address via SLAAC the address might not be configured when sssd starts and updates the DNS record,s ince the client didn't receive a IPv6 router advertisement. As an example the default radvd configuration sends a router advertisements at a random interval (MinRtrAdvInterval/MaxRtrAdvInterval) between 198 - 600 seconds. So it can take up to 10 Minutes to get an address. In a real world scenario the interval would be lower, but the IPv6 config is usually too late for the sssd start. So SSSD does what it should do and removes any A or AAAA records which are currently not found on the client. Which leads to the issue, that you can't address the client via IPv6 over name resolution. Workarounds:

• You can force the AAAA Records with a sssd service restart.
• Wait for the default 24h dyndns_refresh_interval so the client updates the records the AAAA Records, but the usual client would be already powered off.
• Set the dyndns_refresh_interval to the MinRtrAdvInterval of 198s, but that creates unnecessary load and won't scale well.

Is it possible to trigger an SSSD dyndns_update on IP change without restarting the service?

[sumit-bose]

Hi,

thank you for you patience. SSSD is using netlink to get notified about changes in the network configuration. But this information is basically used to trigger a switch from the offline to the online state. If SSSD is already online the notifications currently do not have an effect.

When switching from the offline to the online state SSSD will try a dynamic DNS update. Have you tried if

kill -USR1 $(pidof sssd)
sleep 1
kill -USR2 $(pidof sssd)

will cause an update of your addresses? The sequence will switch SSSD into offline more (USR1) and back into online more (USR2), since SSSD processes events asynchronously the sleep should make sure the signals are processed in the expected order.

bye, Sumit

[abbra]

I think this issue is worth documenting in both man pages for sssd-ipa(5) and sssd-ad(5) as we don't have a common place to explain how dynamic DNS integration is implemented. So while it is not a code change asked here, the overall state is worth be documented.