IPv6 LAN Client DNS Address not Updating when IPv6 Subnet Changes from ISP
-
I would expect that an address change on the LAN interface should prompt a "server-initiated configuration exchange" (see RFC 3315, section 19).
-
(The DNS info that's being advertised could change for any number of other reasons, so this would be an issue even if the prefix didn't change.)
-
I would expect that an address change on the LAN interface should prompt a "server-initiated configuration exchange" (see RFC 3315, section 19).
Wouldn't this be a deal breaker for that?
"… the use of a security mechanism is mandated in Reconfigure messages. The server MUST use DHCP authentication in the Reconfigure message."
( as in, Authentication for DHCP Messages - RFC 3118)... that seems to entail key exchange and the associated complexities.
-
I don't believe DHCP6 is part of this except for the WAN interface. All my hosts are being configured from RA messages with the RDNSS and DNSSL options. This appears to be how radvd is configured.
I believe the issue is either radvd not sending unsolicited messages on IP6 changes or my host ignoring them because the expiry time on all the info has not expired.
RFC 2641 makes it sound like the router should send an unsolicited RA from the old interface address with an expiry time of 0 and send a new RA for the correct new prefix and dns config. Otherwise IP6 will just break for hosts any time the prefix changes until everything expires or the host interfaces re-initialize and solicit the router. Since the WAN interface is dynamic it should be allowed to change and properly handled on all tracking interfaces.
-
I don't believe DHCP6 is part of this except for the WAN interface.
Easy enough to see. Run an IPv6 packet capture on the LAN, boot up a machine. You will see the link local make the request and pfSense will respond back via DHCPv6 with the DNS info, which is the LAN IPv6 address.
It's a common LAN configuration to use DHCPv6 for the DNS and domain name, and SLAAC for the interface addressing.
Yes, my LAN IPv6 address is dynamic DHCP-PD, track WAN, etc, etc.
Here is a capture taken at host boot time. DHCPv6 is requested and the only reply is with the DNS server info, which is the LAN interface address. Host interface addressing is from the RA.
-
Thanks for the info. I had no idea DHCPv6 was involved on my internal network. I thought since the RA daemon was configured with DNS also it was just using that. Either way, is this still the desired behavior that there is no automatic client reconfiguration if the WAN changes? It seems very fragile this way.
-
I seriously doubt relying on client time-outs is actually the best practice for this.
-
I agree. But in the meantime, what would be a reasonable way to configure around this?
First of all, am I now correct in understanding the components within pfSense involved are dhcpd (for ip6 dns config) and radvd (to advertise the prefix)? I'd be surprised if those packages are not robust enough to already handle this in some way.
-
I think I figured out why I was getting a new prefix on every reboot. I had the RAM disk option enabled for /var and /tmp because I want to limit writes to my ssd. After I disable that and reboot a few times I can confirm I start getting the same prefix. Can anyone else verify this is what causes it?
I'm not sure what in /var might be lost to screw up my next dhcp6 request but it's probably not in /var/dhcpd/var/db/ because I had the periodic backup of that folder enabled. Should this be logged as a bug?
I still think the auto address reconfiguration also needs to be addressed but keeping the same prefix on reboot will greatly limit the frustration.
-
Probably the DUID.