Re: [Dnsmasq-discuss] Why does the dnsmasq routing feature require a subnet prefix length of 64?
Neal: You aren’t the only one who thought the math was off with IPv6. I had my issues, but for different reasons. Interesting read. R Sent from my iPhone > On Jun 20, 2023, at 7:17 PM, imn...@gmail.com wrote: > > I did some math a while back. IPv6 will 'never' run out of addresses? Hah! > It'll happen sooner than anyone thinks. > > - Assume 2^31 IPv6 LANs attached to the internet around the world. > - Compute 2^31 * 2^64 = 2^95 addresses assigned > - Assume 16 devices connected on each LAN: 2^31 * 2^4 = 2^35 addresses in use > > Converting to decminal, about 40 * 10^27 addresses assigned, 34 * 10^9 > addresses used. That leaves about 1.2 quintillion times the number of > addresses in use that will never be used. > > Had they used /96 as the standard size (32-bit host address), that would've > resulted in about 2^63 addresses assigned for the same 2^35 addresses used. > The wastage would've dropped to about 270 million times the addresses used: > about 12 orders of magnitude less address wastage. > > My opinion on this in more detail: http://murent.us/#ipv6wastage. > > I read somewhere that some may be second-guessing that decision. They > might've done better to use /96 and hash the MAC address down to 24 bits to > make SLAAC work. > > Neal > > >> On Tue, 20 Jun 2023 15:05:07 -0700 >> Eric Fahlgren wrote: >> >> Yeah, some of the RFCs on v6 address formats hem and haw about how big the >> network ID and interface ID parts are (probably written before actual >> implementations were in place), but >> https://www.rfc-editor.org/rfc/rfc4291#section-2.5.1 says quite >> unequivocally: >> >> For all unicast addresses, except those that start with the binary >> value 000, Interface IDs are required to be 64 bits long... >> >> Which drives a stake in the ground regarding how to partition those 128 bits. >> >> >>> On Tue, Jun 20, 2023 at 11:59 AM Petr Menšík wrote: >>> >>> I think that is required by SLAAC RFC, which adds another 2 bytes to 6 >>> bytes of hardware ethernet address. >>> >>> Which is in total 8 bytes, therefore 64 bits is required for it. Prefix >>> cannot be higher, but can be lower in theory. There might be some >>> implementation details now supporting lower prefix length in current >>> implementation. >>> >>> Cheers, >>> Petr On 15. 06. 23 12:07, renmingshuai via Dnsmasq-discuss wrote: >>> >>> When ra-only, slaac, or ra-stateless is configured in dhcp-range and the >>> prefix len is set to a value other than 64, like this: >>> >>> “dhcp-range=2000:1000:1000:1000:1000:1000::, ra-stateless,120,infinite” >>> >>> the following error message is displayed: >>> >>> dnsmasq: prefix length must be exactly 64 for RA subnets at line 16 of >>> /etc/dnsmasq.conf >>> >>> Why must the prefix length be 64? This may come from an RFC regulation or >>> recommendation, but I didn't find it. Would you mind tell me the reason? >>> >>> -- >>> Petr Menšík >>> Software Engineer, RHEL >>> Red Hat, http://www.redhat.com/ >>> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >>> > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcp leases file not consulted after restart?
I in the beginning of troubleshooting an issue with name resolution in dnsmasq on a freebsd server.I'm running dnsmasq 2.86 and I'm not able to resolve hostnames that are dhcp clients. This is a new development and may possibly be related to a FreeBSD system upgrade from 13.0-RELEASE to 13.0-RELEASE-p11.Example, my desktop machine is a dhcp client and is active on the network, and can ping via hostname the firewall server that runs dnsmasq which is assigned a static IP and reads /etc/hosts for static names and /etc/resolv.conf.dnsmasq for upstream dns servers.However the firewall cannot ping the client by name, despite a record for that host in the dnsmasq.leases file.again, this is a new issue, and this used to work when the server was originally setup. I can prove that the leases database file is being written to by the dnsmasq service as there are recent (read: from today) timestamps on the file itself.I'd appreciate any pointers as I'm running out of things to check and haven't found an obvious problem yet.Below is the startup log entry from a dnsmasq server restart. Not sure if it helps, but I didnt want to ask without trying to prove that I tried to fix it myself.May 12 09:21:16 icm dnsmasq[17586]: started, version 2.86 cachesize 150May 12 09:21:16 icm dnsmasq[17586]: compile time options: IPv6 GNU-getopt no-DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth cryptohash DNSSEC loop-detect no-inotify dumpfileMay 12 09:21:16 icm dnsmasq-dhcp[17586]: DHCP, IP range 192.168.19.75 -- 192.168.19.125, lease time 12hMay 12 09:21:16 icm dnsmasq-tftp[17586]: TFTP root is /usr/local/tftp secure modeMay 12 09:21:16 icm dnsmasq[17586]: using only locally-known addresses for hallhome.privateMay 12 09:21:16 icm dnsmasq[17586]: reading /etc/resolv.conf.dhcpMay 12 09:21:16 icm dnsmasq[17586]: using nameserver 71.10.216.1#53May 12 09:21:16 icm dnsmasq[17586]: using nameserver 71.10.216.2#53May 12 09:21:16 icm dnsmasq[17586]: using only locally-known addresses for hallhome.privateMay 12 09:21:16 icm dnsmasq[17586]: read /etc/hosts - 8 addressesThanks for any assistance/pointers you can provide.Rance___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] new config file in /etc/dnsmasq.d
I don't remember a mechanism in dnsmasq to achive this, although support for it (if it isn't too much work) would be something I'd happily help with.That being said, I think what you want is "inotify" on Linux, or "filewatcher" on Windows. These services will watch files for changes and automatically trigger actions like "reload dnsmasq"Warning: On Linux, inotify is an API so you still need a client to help you configure it. Something like the inotify-tools package on arch. (I think on debian based systems too)Hope this helpsOn Mar 9, 2022, at 1:43 PM, Frank Liu wrote:Hi,If I add a new file in /etc/dnsmasq.d that has a few srv-host entries,what's the best way to signal dnsmasq, other than restart it, so thatthose records can be resolvable?Thanks!Frank___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
Ercolino:I can't speak for Simon and the rest of the Dnsmasq team (mostly because I'm not on it) but I appreciate your discussion and explanation of your need. I would have responded sooner, but I've had a medical emergency with my wife and was off the net for a few days being with family in the hospital.Now your comparison to the state of TFTP in my judgement isn't of the same caliber. If the TFTP root is not present then the only issue is that a handful of netbooting clients wont work at all, and you'll get immediate feedback (on an impacted system) that you broke something, AND anything that booted on its own will be fine.If the supplemental config script were to not be present and skipped, you wouldnt get the immediate feedback that something wasn't working, AND you couldn't guarantee a safe state for the server instance.It seems to me that you have a legitimate issue, but there are other ways to implement what you need to happen that don't require changing Dnsmasq at all.1) manipulating the boot order such that Dnsmasq starts AFTER the USB subsystem is loaded and the supplemental file system is mounted.2) The file system on the embedded device shouldn't be read-only and you should be able to copy the supplemental config script from the USB key to the root filesystem of the device and then it would be available when the system booted and your mount sequencing issue would go away.RanceOn Mar 4, 2022, at 2:52 PM, Ercolino de Spiacico wrote:>How does dnsmasq behave if there is a configuration error in the config >file elsewhere? If the syntax is broken then it fails hard. Don't see >why this wouldn't be true of a suplemental config script being referred >to in the main one.And as to --fail-safe: I don't see how this is >reasonable, as it will lead to undesirable operation and possibly even >broken clients if the mistake includes part of the dhcp >configuration.Its annoying, but probably better for services not to >start if they can't interpret/understand their starting statI appreciate the reason why this was originally designed to be the default behavior however please allow me: this conf-script might be is another beast.I'm on a router developing this, the dnsmasq config is read at boot from the content of a nvram variable. By the time dnsmasq starts I must already have this conf-script target created, the USB mounting comes way after everything else and the script booting process is screwed; NTP doesn't sync, clients don't get an IP... you name it. Also if the device has no USB this needs to be referenced and created in /tmp (RAM) at boot, this is via the init script that again is coming in a bit too late in the SoE. Until this file is created dnsmasq fails. Moreover there's an additional risk here, part of the config content is coming from Internet so outside the administrative domain. A typo by the list maintainer might cause havoc, most importantly, this is not necessary when the device is initially set up, it can come after months and affect a large number of devices at one.I really don't want to sound insistent but let me put it this way, long time ago I brought up this very topic in the context of TFTP. If the destination folder of TFTP didn't exist it used to fail dnsmasq (big time on a router). Then fortunately the tftp-no-fail directive was introduced.This conf-script is pretty much the same case but in a different context. If this extra info here above is still not enough I'll drop the ball, but I'm just making a final effort because I see value in it, that's all.Regards___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
You are most welcome. Sent from my iPhone > On Mar 4, 2022, at 12:19 PM, Simon Kelley wrote: > > Thanks Rance, you saved me from writing the same answer. > > Simon. > > >> On 04/03/2022 17:00, Rance Hall via Dnsmasq-discuss wrote: >> How does dnsmasq behave if there is a configuration error in the config file >> elsewhere? If the syntax is broken then it fails hard. Don't see why this >> wouldn't be true of a suplemental config script being referred to in the >> main one. >> And as to --fail-safe: I don't see how this is reasonable, as it will lead >> to undesirable operation and possibly even broken clients if the mistake >> includes part of the dhcp configuration. >> Its annoying, but probably better for services not to start if they can't >> interpret/understand their starting state. >> Rance >>>> On Mar 4, 2022, at 4:16 AM, Ercolino de Spiacico >>>> wrote: >>> >>> >>> > I've just added it to 2.87test8 >>> >>> > Please test and report back. >>> >>> >>> >>> I'm finally managed to find a way to build from sources. One initial >>> feedback: >>> >>> I cross referenceed the conf script e.g. >>> >>> conf-scrip=/tmp/adblock-expander.sh >>> >>> If the file doesn't exists or has a broken syntax it will make the whole >>> dnsmasq process failing with a message like "/tmp/adblock-expander.sh >>> returns a non 0 exit code something" >>> >>> This is perhaps a wider topic and goes a bit out of scope for this >>> feature request, but perhaps we should: >>> >>> 1) remove this error control for conf-script and simply log+skip errors >>> rather than crash land the whole dnsmasq. >>> >>> 2) perhaps introducing a new "--fail-safe" option for dnsmasq to extend >>> point 1) to any broken directive in the configuration >>> >>> >>> Thanks! >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
How does dnsmasq behave if there is a configuration error in the config file elsewhere? If the syntax is broken then it fails hard. Don't see why this wouldn't be true of a suplemental config script being referred to in the main one.And as to --fail-safe: I don't see how this is reasonable, as it will lead to undesirable operation and possibly even broken clients if the mistake includes part of the dhcp configuration.Its annoying, but probably better for services not to start if they can't interpret/understand their starting state.RanceOn Mar 4, 2022, at 4:16 AM, Ercolino de Spiacico wrote:> I've just added it to 2.87test8> Please test and report back.I'm finally managed to find a way to build from sources. One initial feedback:I cross referenceed the conf script e.g.conf-scrip=/tmp/adblock-expander.shIf the file doesn't exists or has a broken syntax it will make the whole dnsmasq process failing with a message like "/tmp/adblock-expander.sh returns a non 0 exit code something"This is perhaps a wider topic and goes a bit out of scope for this feature request, but perhaps we should:1) remove this error control for conf-script and simply log+skip errors rather than crash land the whole dnsmasq.2) perhaps introducing a new "--fail-safe" option for dnsmasq to extend point 1) to any broken directive in the configurationThanks!___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss