[Dnsmasq-discuss] Disabling IPv6 at compile time no longer working

Petr Menšík pemensik at redhat.com
Fri Oct 30 15:30:59 GMT 2020 

It is year 2020, IPv6 is far too long with us to be optional. IPv4
support is not optional either. It is just ability to parse IPv6
addresses and listen on its sockets. DHCPv6 can still be disabled,
because it can be considered separate feature.

That means, nobody is forcing you to deploy IPv6. What is the system you
build it on? Has it IPv6 support not compiled in? Does ifconfig, route
or ping support it? Why not dnsmasq?

On 10/30/20 1:10 PM, SALA MASSIMO wrote:
> Hi Chris, Petr
> 
> I agree with Chris: I wish we could disable IPv6 support.
> 
> There are scenarios - like usage in intranet LANs,  IPv4 only - this feature is useless.
> 
> For best practice, unwanted features should be disabled:
> 1) avoid any possibility of hitting bugs in code paths that implemet this functionality;
Bugs must be fixed, because almost all distributions wants IPv6 enabled.
AFAIK there was no reported vulnerability related to IPv6 for 4 years I
maintain dnsmasq on Fedora.
> 2) reduce the surface of possible attacks;
And reduce readability of source code with common #ifdef HAVE_IPV6,
making more likely bugs would not be noticed. More optional compilation
parts means more testing required to ensure all combinations work.
> 3) IMHO you cannot force the users to be unaware testers of unused features.
Nobody is forcing you to use it. Nobody is also forcing you to use
dnsmasq. I think Simon asked some months ago, whether anyone would miss
it. You are able to revert the removing commit and maintain your copy
with ability to disable IPv6, if you consider it important enough.
> 
> 
>> It was intentionally removed in commit ee8750451b4[1], removed in 2.81 release.
> 
> I don't understand why this commit was approved.
> Which are the benefits for the developers?
Better readability, less combinations, less testing. Noted above.

I think Simon asked and nobody objected. Anyway, Simon Kelley is the
only one with write access to the repository. He has decided and removed
it. He does not need any approval from anyone. It was his project from
the beginning. No one objected until now. I think that means low desire
to disable IPv6 support on compile time.
> 
> Best regards, Massimo Sala
> 
> 

Best Regards,
Petr

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201030/45345761/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201030/45345761/attachment-0001.sig>

More information about the Dnsmasq-discuss mailing list