Default AdvRDNSSLifetime and AdvDNSSLLifetime

Started by hugo, January 19, 2024, 05:42:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 19, 2024, 05:42:09 PM
The default AdvRDNSSLifetime and AdvDNSSLLifetime at this point appear to be equal to the MaxRtrAdvInterval. That seems to risk loss of RDNSS and DNSSL if a single RA is lost.

RFC 8106 5.1 (https://datatracker.ietf.org/doc/html/rfc8106#section-5.1) indicates that that the lifetime of DNS options should by default be 3x MaxRtrAdvInterval.

Is it intentional that this is currently equal to MaxRtrAdvInterval instead?
January 19, 2024, 07:05:56 PM #1
By default, OPNsense doesn't configure AdvRDNSSLifetime / AdvDNSSLLifetime values at all, so radvd uses its own defaults. This should be 2*MaxRtrAdvInterval according to the radvd man page. If it isn't, then raising an issue with radvd would be preferable to adding default overrides in OPNsense, imho.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
January 19, 2024, 07:13:00 PM #2
Ah, gotcha. Thx, I see that now under `/var/etc/radvd.conf`, that AdvRDNSSLifetime and AdvDNSSLLifetime are left empty / unset, not autogenerated explicitly. Thx. I will check over with radvd.
January 19, 2024, 07:24:59 PM #3
k, it looks like this was fixed/updated in https://github.com/radvd-project/radvd/commit/17c43bff200bbc1d4786eb917860a79db4f95c2e, with a reference to https://github.com/radvd-project/radvd/issues/143

That's in master, but currently in the v2.20_rc1 tag. So, it's not present in the current 2.19 release. in the meantime, the online published docs appear to reflect that 3*MaxRtrAdvInterval, while 2.19 still does AdvRDNSSLifetime = MaxRtrAdvInterval.

We'll just have to wait for the proper 2.20 release of radvd, from the looks of it.
Print
Go Up Pages1
User actions