[Dnsmasq-discuss] interface-name and IPv6 temporary addresses

Simon Kelley simon at thekelleys.org.uk
Mon Dec 1 22:17:58 GMT 2014

On 01/12/14 18:49, Michael Gorbach wrote:
> On Nov 30, 2014, at 11:17 AM, Simon Kelley <simon at thekelleys.org.uk>
> wrote:
>> On 29/11/14 19:18, Michael Gorbach wrote:
>>> Hi All,
>>> I've got a question and potential enhancement request. It looks
>>> like right now, the (very useful) interface-name feature pulls
>>> all (global) addresses from the interface. One of my machines
>>> uses IPv6 privacy extensions (known in Linux as use_tempaddr),
>>> which means that in addition to link-local and permanent global
>>> addresses, it has a rotating cast of ~ 5 temporary addresses. I
>>> suggest that dnsmasq should detect those temporary addresses and
>>> not return them for queries that would otherwise hit
>>> interface-name. Returning them as it does now means > 5 AAAA
>>> records for a single name, which causes repeated confusion due to
>>> things like SSH warning about an unknown host because it has
>>> suddenly picked a previously-unknown temporary address to connect
>>> to. Thoughts?
>> Sounds like a sensible suggestion. This facility was added before I
>> was really familiar with IPv6 and all its extra complications. Most
>> of those 5 temporary addresses will be "deprecated" ie hanging
>> around for the use of existing connections, but not used for new
>> ones. They definitely shouldn't appear, but I'm pretty convinced,
>> unless anyone can come up with a good reason why not, that all
>> privacy addresses should be elided, without exception.
>> I wonder, though, if that's only true for forward (ie AAAA)
>> lookups. Should a reverse lookup on an old privacy address still
>> yield the name of the host it belongs to?
> Thanks, Simon. I’d agree that all the temporary addresses should be
> skipped in forward resolution. In terms of reverse, I’d say there’s a
> high amount of value in having at least the current temporary address
> resolve to the correct host name. Temporary addresses are often
> preferred for outbound connections, so if we don’t have reverse
> resolution here then for example SSH is going to complain that it
> can’t check reverse DNS. There’s probably some value in reverse
> resolution for deprecated temporary addresses, for example if you
> wanted to track down some client in your system logs from several
> days ago, but it’s significantly lower. If that’s a large amount of
> work, to me it’s something that wouldn’t be top-priority.

Since all the addresses - permanent, current privacy, and deprecated
privacy - are there now, it's just a question of filtering them, with a
bit of extra complication to do it differently for forward and reverse
queries. I think I've convinced myself that this won't bite anyone if we
make it a simple change-of-behaviour, rather than some new configuration
option to request this behaviour. I'd feel more confident if others had
a think about it and convinced themselves too.



> Yours, ~ M.
>> Cheers,
>> Simon.
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk> 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>

More information about the Dnsmasq-discuss mailing list