Kea DHCPv6 Static Mapping issues

IonutIT

Upgrading to 24.11 and I've decided to give Kea another try as most of the issues stopping me from using it seem to be fixed or implemented.

After I've switched to Kea things seem to mostly work with the exception of DNS registering of DHCPv6 static mappings.

It seems that Kea registers two times the host to Unbound, once properly with the dynamic prefix attached from the Track Interface option and another time with just the host part.

Let me show you an example. Here are some static mappings from one of my management VLANs:

Screenshot 2024-11-28 at 22.50.29.jpg

It's the same as it was when using ISC.

And here is what DNS Lookup shows for those hostnames:

Screenshot 2024-11-28 at 22.53.32.jpg

Screenshot 2024-11-28 at 22.55.45.jpg

As you can see there a duplicate AAAA records, with one of them being invalid. And these same results are being pushed to my clients when using nslookup or any other DNS query command.

Bob.Dig

@IonutIT Disable "Early DNS Registration".

IonutIT

@Bob-Dig I’ll try, but wouldn’t that completely disable DNS registration for static mappings? The wording of that feature seems to indicate that…

Edit: Yeah, that seems to fix it. Thank you! Though you might want to reconsider the wording for what exactly "Early DNS registration" actually does.

Gertjan

@IonutIT

Hummm.
And I'll bet you use IPv6 prefix LAN tracking, right ?
Looks like 'someone' took the IPv6 address from the static mappings 'storage' from the config.xml file and send it as is to unbound as a record.

Or, look for yourself how a static IPv6 mapping is recorded, this already shows whats happening :

so in the config file you'll find :

and I'm betting the (my example) "addrv6>::cc</ipaddrv6>" is sourced directly and send to unbound as is, without prepending the prefix - it is missing !
And now we wind up with these strange IPv6 addresses.

Presuming all this, I go one step further : "Early DNS registration" probably means : as soon as kea2unbound starts, it starts by parsing the main config, DHCP and DHCP6 static mappings, and feeds them into unbound.

edit: I'm wrong.
I've found "kea2unbound". It's not a binary, its a shell script And its not doing any ""Early DNS registration". It's the pfSense (GUI).
Still digging ....
edit again : Found it. Issue identical to pfBlockerng.

$ipaddr = trim($mapent['ipaddrv6']);

where 'ipaddrv6' only contains the ::part of the IPv6 of the host, so no prefix.
See it happening here : /usr/local/pfSense/include/www/services_dhcp.inc line 107.
end edit:

Normally, the <addrv>192.168.2.10</ipaddrv>" (IPv4) and "addrv6>::cc</ipaddrv6>" contain valid IP addresses, but when tracking is used - and the prefix can change - the "addrv6>::cc</ipaddrv6>" can't be used "as is".

A couple of days ( ! ) ago I discovered this situation in pfBlockerng :

or this IPv6 is a know, static IPv6 host, the name should be known to pfBlockerng.
As the IPv4 counterpart :

And here the reverse lookup worked out and the host name "gauche2" is shown.
A reverse lookup for "::c7" was failing, pfBlockerng can't show the host name.

What happened with pfBlockerng can be seen here.
In case of IPv6 tracking, ""addrv6>....</ipaddrv6>" doesn't contain the entire IPv6 address.

I had this repaired a couple of days ago, and then (stupid me) I upgraded to 24.11, which wiped out my edits (even after 25+ years, I'm still doing these stupid things).
I'll post in the pfBlockerng forum to signal and propose a solution.

The thing is : the programmer who created kea2unbound probably doesn't use 'IPv6 prefix tracking' - or doesn't use IPv6 (not sure if they have IPv6 in Texas). So this went unnoticed.

And sorry for the long rant. I hope you can make something out of it.
Also : I didn't fire up KEA yet myself, still using ISC with 24.11 because "it works sooooo well ^^", but thanks to you I'll know what will happen.

Btw : really :

what about "small" IPv6 addresses like the ones I've showed ?

IonutIT

@Gertjan said in Kea DHCPv6 Static Mapping issues:

Presuming all this, I go one step further : "Early DNS registration" probably means : as soon as kea2unbound starts, it starts by parsing the main config, DHCP and DHCP6 static mappings, and feeds them into unbound.

Yeah, that was the issue, unchecking Early DNS registration fixes things. The wrong AAAA entries are gone. Probably because it only registers the hosts after the full IPv6 address is made by appending the prefix from WAN PD.

Btw : really :

what about "small" IPv6 addresses like the ones I've showed ?

This is a hack I do for devices that use SLAAC only and don't have regular DHCPv6.

I create a fake DHCPv6 Static Mapping with the exact host part of the IP that SLAAC assigns, which in turn registers the full IPv6 address into DNS, so then I can access it via IPv6 with DNS. Because adding them in DNS directly won't work with dynamic prefix delegation.

Works great!

Gertjan

@IonutIT

I re edit my post above.
kea2unbound is innocent
The issue is deep in the GUI, and identical to my initial pfBlockerng issue.

I'll have a patch some where next week.