General DHCPv6 to DNS updates



  • Hi,

    I assume you would need stateful adressing, thus DHCPv6 in order to get the mappings up stream to some DNS server.
    Furthermore I assume that making sure the IPv6 address needs to be made static, isn't true. That's because your host will stay reachable through exactly those DNS updates anyway.
    In v4 this have been working out of the box just fine, but only when the DNS service is on the exact same host, right? -> dnsmasq at OpenWrt or unbound in pfSense.

    What about practical experience?
    To me a FreeIPA might look like a good choice of partner for pfsense regarding this topic.
    What if I would want my pfsense firewall to act as such a stateful DHCPv6 server connected to e.g. FreeIPA (DNS).

    Thank you for reading



  • No, you don't need DHCPv6.  I use SLAAC on my network and use the MAC based address for the DNS.



  • How do I set this up on the pfsense side?
    Thank you.

    Little bit awkward to answer my own question.

    Here's a short howto for FreeIPA and pfsense:

    1. For the specific zone in Freeipa Settings make sure "Dynamic update" is set to: true
    2. generate key, me using srvxxx.my.domain
    dnssec-keygen -a HMAC-MD5 -b 512 -n HOST srvxxx.my.domain
    

    Open generate *.private file and copy the Key in the line that starts with Key:
    3) On all FreeIPA hosts in replication edit /etc/named.conf by adding

    include "/etc/named.srvxxx.key";
    
    1. On all FreeIPA write file /etc/named.srvxxx.key
    key "srvxxx.my.domain" {
           algorithm hmac-md5;
           secret "your_key_from_2)";
    };
    
    1. restart ipa via```
      ipactl restart
    
    You can add this for DHCP server if you like also for DHCPv6 server.
    
    Unfortunately the updates are being refused. I think the grant statement is not just right. I'll update this post if I get it resolved.

Log in to reply