[Dnsmasq-discuss] interface-name and IPv6 temporary addresses
Michael Gorbach
michael at mgorbach.name
Mon Dec 1 18:49:56 GMT 2014
On Nov 30, 2014, at 11:17 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
> On 29/11/14 19:18, Michael Gorbach wrote:
>> Hi All,
>>
>> I've got a question and potential enhancement request. It looks like
>> right now, the (very useful) interface-name feature pulls all
>> (global) addresses from the interface. One of my machines uses IPv6
>> privacy extensions (known in Linux as use_tempaddr), which means that
>> in addition to link-local and permanent global addresses, it has a
>> rotating cast of ~ 5 temporary addresses. I suggest that dnsmasq
>> should detect those temporary addresses and not return them for
>> queries that would otherwise hit interface-name. Returning them as it
>> does now means > 5 AAAA records for a single name, which causes
>> repeated confusion due to things like SSH warning about an unknown
>> host because it has suddenly picked a previously-unknown temporary
>> address to connect to. Thoughts?
>>
>
> Sounds like a sensible suggestion. This facility was added before I was
> really familiar with IPv6 and all its extra complications. Most of those
> 5 temporary addresses will be "deprecated" ie hanging around for the use
> of existing connections, but not used for new ones. They definitely
> shouldn't appear, but I'm pretty convinced, unless anyone can come up
> with a good reason why not, that all privacy addresses should be elided,
> without exception.
>
> I wonder, though, if that's only true for forward (ie AAAA) lookups.
> Should a reverse lookup on an old privacy address still yield the name
> of the host it belongs to?
Thanks, Simon.
I’d agree that all the temporary addresses should be skipped in forward resolution. In terms of reverse, I’d say there’s a high amount of value in having at least the current temporary address resolve to the correct host name. Temporary addresses are often preferred for outbound connections, so if we don’t have reverse resolution here then for example SSH is going to complain that it can’t check reverse DNS.
There’s probably some value in reverse resolution for deprecated temporary addresses, for example if you wanted to track down some client in your system logs from several days ago, but it’s significantly lower. If that’s a large amount of work, to me it’s something that wouldn’t be top-priority.
Yours,
~ M.
>
>
>
> Cheers,
>
> Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4145 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141201/a68093e1/attachment.bin>
More information about the Dnsmasq-discuss
mailing list