os-ddclient / DynDNS (legacy) and deSEC.io problems

[BSAfH42]

Hi,

I'm running an OPNsense 22.7_4  behind a Telekom FRITZ!Box, which is configured as exposed host.

The OPNsense firewall get both dynamic IPv4 adresses and dynmic IPv6 subnets.

My deSEC domain should point both A and AAA records to these adresses.

Currently there are two DDNS updater in OPNsense 22.7_4

a) Dynamic DNS (legacy) (whatever that is)
b) Dynamic DNS (ddclient)

I was using the legacy one in 22.1 (which will disappear in one of the next minor releases!) without trouble, but since the update from 22.1 to 22.7, the updater results in the AAA record being set and the A record being deleted.

According to deSEC, their updater expects both v4 and v6 adresses in one cal in the same query URL. When making single calls, the latest received records wins, if that's v6 address then the v4 address wil be deleted and you end up with a ipv6 only domain - and vice versa.

In the legacy updater, there are three settings deSec, deSEC(ipv6), deSec(ipv4 + ipv6).

Even if I select deSec(ipv4 + ipv6), the A record gets lost. In 22.1 it worked OK.

Trying to use os-ddclient just results in the same behavior: no IPv4 A record any more.


deSEC writes

You can try to use update6.dedyn.io as update host. If your router includes the v4 address into the URL parameters, this will result in your domain receiving updates for A and AAAA records.

well, how do I force this with os-ddclient?

their forum is not really helpful: https://desec.readthedocs.io/en/latest/dyndns/configure.html#option-2-use-ddclient - there is an example for Debian ...

Manual configuration (other systems)
After installing ddclient, you can start with a ddclient.conf configuration file similar to this one, with the three placeholders replaced by your domain name and your token secret:

Code Select Expand

protocol=dyndns2
# "use=cmd" and the curl command is one way of doing this; other ways exist
use=cmd, cmd='curl https://checkipv4.dedyn.io/'
ssl=yes
server=update.dedyn.io
login=[domain]
password='[token secret]'
[domain]
For more information, check out the ddclient documentation.

Note 1
Exclusively on Debian and derivatives, since ddclient 3.8.2-3 you can enable IPv6 by replacing use with usev6, checkipv4.dedyn.io with checkipv6.dedyn.io, and update.dedyn.io with update6.dedyn.io. There are some notes here.

Note 2
According to Determine IP Addresses, the IP used for connecting to the update server is also considered when trying to find an IPv6 address to assign to your domain. So, if you connect via IPv6, this address will be set on your domain, even if you did not provide it explicitly.

If you would like to avoid setting an IPv6 address automatically, and instead configure an address statically (or remove the address), you can add a the myipv6 parameter on the domain section, like this: mydomain.dedyn.io&myipv6= (delete) or mydomain.dedyn.io&myipv6=::1 (static value)

To test your setup, run sudo ddclient -force and see if everything works as expected.

well, that does not work through the GUI, but I can't figure out what to put into

Code Select Expand

/usr/local/etc/ddclient.conf either...

any idea how to solve this?