"
I ran into a slightly different deSEC/OPNsense case that may help others.
My goal was not dual-stack, but intentionally A-only for a WireGuard endpoint. With the native OPNsense backend and `desec-v4`, `allowipv6=0` was already set, but AAAA could still reappear over time.
I checked the local OPNsense code path and found that `desec-v4` maps to `update.dedyn.io` and uses a generic `myip` style update, not explicit `myipv4` / `myipv6`. For deSEC, that is relevant because A and AAAA handling is special.
What worked reliably for me was switching the account to `custom` and using this URL:
`https://update.dedyn.io/?hostname=__HOSTNAME__&myipv4=__MYIP__&myipv6=`
Username: the full hostname
Password: deSEC token
Result:
A is updated correctly, and AAAA stays absent.
So this is not the right solution for dual-stack. But for intentional A-only hosts, especially WireGuard endpoints where broken IPv6 endpoint selection is a problem, this seems to be the correct workaround.
My goal was not dual-stack, but intentionally A-only for a WireGuard endpoint. With the native OPNsense backend and `desec-v4`, `allowipv6=0` was already set, but AAAA could still reappear over time.
I checked the local OPNsense code path and found that `desec-v4` maps to `update.dedyn.io` and uses a generic `myip` style update, not explicit `myipv4` / `myipv6`. For deSEC, that is relevant because A and AAAA handling is special.
What worked reliably for me was switching the account to `custom` and using this URL:
`https://update.dedyn.io/?hostname=__HOSTNAME__&myipv4=__MYIP__&myipv6=`
Username: the full hostname
Password: deSEC token
Result:
A is updated correctly, and AAAA stays absent.
So this is not the right solution for dual-stack. But for intentional A-only hosts, especially WireGuard endpoints where broken IPv6 endpoint selection is a problem, this seems to be the correct workaround.
