DynDNS updates deprecated ipv6 addresses, resulting in service disruption

Sprinterfreak

Just struggeling to get pfSense to update IPv6 address after prefix change.

TL;DR

• BUG: DynDNS updater does not react to prefix change on DHCPv6-Client or SLAAC interfaces on it's own
• BUG: DynDNS continues to update ipv6 addresses marked as "deprecated", even if there are valid ones on an interface

Expected behavior: DynDNS must ignore deprecated inet6 addresses and trigger on new inet6 addresses.

This is a german setup. A pfSense, behind an upstream ISP provided router, wich uses prefix delegation to provide prefixes downstream to my clients. German ISPs do not allow citizens to have static ip v4/v6 at all. Having some sort of dyndns is therefore required to publish new prefixes, forced by the ISP every 24 hours. I am using rfc2136 as dyndns update target. Works so far. Updates go through fine. But...
Everytime a new prefix is handed out, the old one gets deprecated by my upstream radvd. Still working fine.
ifconfig then shows two inet6 addresses. The new, and the old one tagged "deprecated", still normal.
In general a deprecated address is not routed anymore by upstream, hence called "deprecated" and for this reason useless to push to the nameserver again. Unless the kernel finally drops the deprecated address completely, pfSenses dyndns process keeps updating the invalidated address on force update but not the valid one.

I had to script some improvised cron based triggers to compare cached and current addresses every minute to make dyndns able to react to new addresses in the first place. Seems pfSense is not designed to be used with IPv6.

#!/bin/sh

WAN_V6=$(ifconfig vtnet0 inet6 | awk '/inet6 2.+ /{if ($0 !~ /deprecated/){printf "%s\n", $2}}')
CACHE_V6="$(cat /cf/conf/dyndns_wan_rfc2136_\'mydomain.tld\'_192.168.0.53_v6.cache | cut -d'|' -f1 2>/dev/null)"

if [ "$WAN_V6" != "$CACHE_V6" ]; then
	rm /cf/conf/dyndns_*_v6.cache 2>/dev/null
	rm /cf/conf/dyndns_wan_*.cache 2>/dev/null
	/etc/rc.dyndns.update
fi

This is run every minute by cron, fetches the current NOT deprecated public routable inet6 address, compares it against the cached address. If they differ, remove cache files and trigger dyndns update process. No solution but a dirty hack around new terretory.

Usually a deprecated prefix resides for about two ours in the kernels ipstack until finally cleaned up. So currently this script fights every minute against the malfunctioning pfSense dyndns update script. This still results in downtime for two hours.
I would be perfectly fine with scripting my own triggers in separate files as long as I don't have to touch dist provided files to fix things.
So a first solution would be appreciated to fix the dist provided dyndns script to a point where it just ignores deprecated addresses.

Bob.Dig

@sprinterfreak said in DynDNS updates deprecated ipv6 addresses, resulting in service disruption:

Everytime a new prefix is handed out, the old one gets deprecated by my upstream radvd. Still working fine.

Interesting, for me, if the prefix changes on the upstream router, pfSense is loosing all IPv6 connectivity in the first place.

Sprinterfreak

@bob-dig yes. I consider it normal after a forced disconnect, being offline for a couple minutes until the new prefix has propagated downstream and every system chose it's new address. This is a design issue in ipv6 as a whole, amplified by fraudulent ISP's. Downtime due to this is definitely longer than we remember from ipv4/nat.
But that's not at all part of my topic. This topic is all about the dyndns script not working for ipv6.