os-ddclient

[IsaacFL]

I'm spamming this advice as it was "hidden" on github:

How to enable ddclient cloudflare API token use:

username:   token           (!!)
password:   API Token

(taken from Github - just tried it on 23.1 and it works. Goodbye Global API Key!)

I just tried this, and could not get it to work.  What do you mean by Username: token? My cloudflare does not have a token other than the API token?  I have a Zone ID or a Account ID and neither seem to work as username.  Get failed with " Could not connect to api.cloudflare.com/client/v4."

[abulafia]

Username should be either empty or just use the word "token". That tells ddclient to use the API token bearer mechanics. You then put your (newly generated) API token into the password field.

Note: The API token is NOT the same as your Global API Key. See https://developers.cloudflare.com/fundamentals/api/get-started/create-token/. Your token needs both DNS Read and DNS Write permissions. Lots of tutorials on the interweb.

Do NOT use any kind of individual username (such as Zone ID, account ID, email, etc.) - if you do, only your Global API Key works.

Also note this is for OPNsense 23.1 -- not sure if it already works for 22.1 legacy series.

[simon45]

I could not get it to work (yet) with ClouDNS, despite being supported. The log file are not of much help and have the wrong severity

2023-04-23T17:26:01   Notice   ddclient[53534]   54357 - [meta sequenceId="2"] WARNING: skipping host: www.somehost.com: 'dynurl=' is an invalid string.

And I don't get why there is no simple update URL call anymore. The URL contains something like an API key, which is specific to that domain. So pretty limited attack surface. ClouDNS supports that part without the need to enter my administrative password anywhere in a client. Cybersecurity matters.

[simon45]

I had a look at the ddclient perl script part for ClouDNS. And as far as I can tell, the parameter used in ddclient (dynurl) is likely not available in OPNsense UI.

[mm23282236]

I could not get it to work (yet) with ClouDNS, despite being supported. The log file are not of much help and have the wrong severity

2023-04-23T17:26:01   Notice   ddclient[53534]   54357 - [meta sequenceId="2"] WARNING: skipping host: www.somehost.com: 'dynurl=' is an invalid string.

And I don't get why there is no simple update URL call anymore. The URL contains something like an API key, which is specific to that domain. So pretty limited attack surface. ClouDNS supports that part without the need to enter my administrative password anywhere in a client. Cybersecurity matters.

I had a look at the ddclient perl script part for ClouDNS. And as far as I can tell, the parameter used in ddclient (dynurl) is likely not available in OPNsense UI.

Any luck getting this working? I get the same error messages.

Also, I have a set of round robin hosts setup in CloudNS and use the URL/token to update only one of the hosts in the group. As it stands right now, I don't see a way to set this to pick the right hostname to update without an identifier.

Edit: I didn't realize you just posted this a little bit ago... I guess we are in the same boat!

[dcol]

Please, Please, Please devs. Don't get rid of the legacy plug-in. OS-DDCLIENT STILL NOT WORKING!!!!!
OPNsense will lose important functionality if this happens. Even github acknowledges ddclient has issues.

I tried the patches, using API tokens, nothing works, or continues to work. Got it to work ONCE. Not working anymore. I feel ddclient should be scrapped until something better comes along. The legacy plug-in just works. Remove it and reduce the functionality. Does this make sense?

[depc80]

I tried DD-Client, change Services: Dynamic DNS: General Settings - Backend to OPNesne and it works for IPv6 without changing anything in config file. However, i get error message

Code: [Select]

failed to set new ip None [{"result":null,"success":false,"errors":[{"code":9005,"message":"Content for A record must be a valid IPv4 address."}],"messages":[]}]Seems like ddclient try to update WAN private IP instead of public IP. For now I use dydns for IPv4 and, ddclient for Ipv6.

[chemlud]

Please note that 23.7 will kill dyndns (apparently ddclient will be the successor).

[dcol]

I assume that will only affect new installs. If you already have the legacy installed, it should continue to function.
It is a huge mistake to remove it since the replacement has so many issues. Why are they doing this?

[AdSchellevis]

....Why are they doing this?

Because it's unmaintainable code and we don't plan to invest in it (go back a couple of pages.. https://forum.opnsense.org/index.php?topic=26446.msg127896#msg127896), for that reason we invested in building the wrappers for the dyndns client everyone else seemed to be using, we even build an alternative implementation (https://github.com/opnsense/plugins/commit/ef91a6b4f9feef7b412ab4a98f14f452d0c187ac) when it turned out long term ddclient does seem to be dying (https://github.com/ddclient/ddclient/issues/528).

At the end of the day, there seem to be much more people complaining than contributing.....

After upgrades it won't be installed, but at some point it will stop working and nobody will care. My advise would be to try the new backend in os-ddclient and prepare for a world without the old plugin.

Best regards,

Ad

[dcol]

People complain when something doesn't work.
I just updated and ddclient doesn't update the Current IP or date in the GUI.
Also I get the logs filled with errors like this
2261-10-26T16:44:30-07:00   Notice   ddclient[87555]   43051 - [meta sequenceId="42"] FAILED: updating www.<xxx>.com: Could not connect to api.cloudflare.com/client/v4.   
2261-10-26T16:44:30-07:00   Notice   ddclient[87555]   42221 - [meta sequenceId="41"] WARNING: cannot connect to api.cloudflare.com:443 socket: Name does not resolve IO::Socket::IP configuration failed

[chemlud]

....Why are they doing this?

Because it's unmaintainable code and we don't plan to invest in it (go back a couple of pages.. https://forum.opnsense.org/index.php?topic=26446.msg127896#msg127896), for that reason we invested in building the wrappers for the dyndns client everyone else seemed to be using, we even build an alternative implementation (https://github.com/opnsense/plugins/commit/ef91a6b4f9feef7b412ab4a98f14f452d0c187ac) when it turned out long term ddclient does seem to be dying (https://github.com/ddclient/ddclient/issues/528).

At the end of the day, there seem to be much more people complaining than contributing.....

After upgrades it won't be installed, but at some point it will stop working and nobody will care. My advise would be to try the new backend in os-ddclient and prepare for a world without the old plugin.

Best regards,

Ad

Hi!

Sorry, but there are much, much, much more users than programmers with sufficient expertise to contribute to a security project such as an opensorce router/firewall... ;-)

Kind regards

chemlud

[almodovaris]

Well, but inadyn seems to be alive and kicking.

[franco]

And I'm sure DynDNS is not a systemic failure at all having two cases where that is so. The third time is the charm perhaps...

To be frank I think we are looking at state of the art here no matter how badly its perceived. It is what it is (not).


Cheers,
Franco

[chemlud]

Yeah, but the experience for many users is: This functionallity has been up and running for YEARS and problems started by "solving problem" that were non-existent to most users of dynDNS.... ;-)