[Dnsmasq-discuss] auth-server reverse zones / Re: PTR records with auth-zone and auth-server
Hello Simon, On Do, 03 Apr 2014, Simon Kelley wrote: > On 03/04/14 08:22, Craig McQueen wrote: > > I'm using dnsmasq 2.68. It's mostly working, however I'm having a few > > troubles with PTR records when using auth-zone and auth-server. If I use > > these options, then: > > > > * PTR look-up of IP addresses defined by interface-name=example.lan,br0 > > return an answer, but the returned status is NXDOMAIN rather than NOERROR. (Coincidentally yesterday I found that problem, too) > > That's a bug, nasty one. Fix pushed to git, Thanks, works. > > > * No custom PTR records can be defined with ptr-record. > > That's behaving as documented, --ptr-record doesn't appear in the list > of data included in an authoritative zone given in the AUTHORITATIVE > CONFIGURATION section of the man page. The reason is, I think, that > PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's > therefore difficult to use the subnet(s) associated with an auth-zone to > filter them. It would be possible to filter on the name using the domain > associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the > subnet. That's quite complex to understand/document/use. Obviously I'm missing something. Why cannot PTR replies be filtered on either x.y.x.in-addr.arpa / ...d.c.b.a.ip6.arpa fitting associated subnets (maybe complicated by the non-nibble IPv4 case) OR any PTR content for defined auth-zone-s? (Btw, in the documentation it sometimes reads "ipv6.arpa" instead of "ip6.arpa".) To add to the wish list: I'd really like the ability to also do AXFRs for reverse zones. Is the difficulty to enumerate the records? Usage is an DNSSEC signing front-end server. Another question: dnsmasq is not sending NOTIFYs, is it? Regards, Lutz -- Lutz Preßler, Göttingen, Germany ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DHCPv6 wishes (Re: IPv6: selective RAs)
Hello, Am Mittwoch, 12. September 2012 schrieb Lutz Preßler: > Am Mittwoch, 12. September 2012 schrieb Simon Kelley: > > On 12/09/12 14:20, Lutz Preßler wrote: > > > > You can black or white list for DHCPv6 with the --dhcp-ignore (but it > > might be difficult to blacklist for DHCpv6 and allow DHCPv4 - that could > > be fixed.) > Ok, I'll try. Whitelisting with DUID does work as documented, e.g. dhcp-host=id:00:01:00:01:16:97:D9:B5:00:0A:29:5E:8C:D0 dhcp-ignore=tag:!known (probably also with explicit tags). Two things would be helpful: - A way to tag depending on link local IPv6 source address (and interface?) of the request. This is in many cases easier to get in advance than the DUID used (and in the original application also needed to selectively ignore RA solicitations). (I know that this is not usable with relays.) - Logging: with log-dhcp ignored DHCPSOLICITs are logged (including DUID) but DHCPINFORMATION-REQUESTs are not. Probably this is not intentionally? (Maybe also include requesting LL IPv6 address in logging.) Lutz ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6: selective RAs
Hallo again, Am Mittwoch, 12. September 2012 schrieb Simon Kelley: > On 12/09/12 14:20, Lutz Preßler wrote: > > You can black or white list for DHCPv6 with the --dhcp-ignore (but it > might be difficult to blacklist for DHCpv6 and allow DHCPv4 - that could > be fixed.) Ok, I'll try. > > You can't black or whitelist RA's I accept your reasoning that it's better to combine with radvd. > >> > >>> Only sending stateful DHCPv6 but no RAs is not possible either, is it? > >> If you configure DHCPv6 for a subnet, you get stateful DHCPv6 but no RA. > >> That should combine with radvd fine, I think. > > Sorry, this was a type: I meant "only stateLESS DHCPv6". > > > > OK, but my statement is still valid stateless DHCPv6 is just different > requests from the client if you configure DHCPv6 you get both. If you > then configure radvd to send the correct bits in RAs, clients will ask > for stateless rather than stateful DHCPv6. Yes, this was stupid... dhcp-range=SOME-ADDRESS-FROM-INTERFACE,static and dhcp-option=option6:... statements works just fine. Thanks, Lutz ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6: selective RAs
Hello Simon! Am Mittwoch, 12. September 2012 schrieb Simon Kelley: > On 12/09/12 13:04, Lutz Preßler wrote: > > I don't see a way to have RAs only for certain clients like > > radvd (from radvd.conf.5:) > > "By default radvd will send route advertisements so that every node on the > > link can use them. The list of clients (IPv6 address) to advertise to, > > and accept route solicitations from can be configured. If done, radvd [...] > > " > > > > Is this a feature you would implement? > > I don't think this is an appropriate feature for dnsmasq, the philosophy > is that it should provide a basic RA service for networks which are > really using DHCPv6 for the complex stuff. I understand that. But maybe I have to explain the motiavation: clients, which are in principle IPv6 capable but habe broken or incomplete implementations (e.g. Windows XP, some Linux distros, Android). It would be good to be able to black- or whitelist within dnsmasq (and not with packet filter rules). I said RA - but this also extends to DHCPv6 as there are clients which (not conforming to current RFCs) do DHCPv6 despite having received no RA. > > > Only sending stateful DHCPv6 but no RAs is not possible either, is it? > > If you configure DHCPv6 for a subnet, you get stateful DHCPv6 but no RA. > That should combine with radvd fine, I think. Sorry, this was a type: I meant "only stateLESS DHCPv6". Lutz ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] IPv6: selective RAs
Hello! I don't see a way to have RAs only for certain clients like radvd (from radvd.conf.5:) "By default radvd will send route advertisements so that every node on the link can use them. The list of clients (IPv6 address) to advertise to, and accept route solicitations from can be configured. If done, radvd does not send send messages to the multicast addresses but to the configured unicast addresses only. Solicitations from other addresses are refused. This is similar to UnicastOnly but includes periodic messages and incoming client access configuration. See examples section for a use case of this. " Is this a feature you would implement? Only sending stateful DHCPv6 but no RAs is not possible either, is it? Combining dnsmasq with radvd would be possible then... Regards, Lutz ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
