Current Best Practices

[cookiemonster]

For KPI I did create a CA on a VM, created intermediate + certs. Then powered off. Obviously internal only. That was a few years ago.
I have toyed with the idea of using OPN instead when the time to renew comes along. It seems a neat piece of functionality to have there.

[EricPerl]

AFAIK, the prerequisite for DNS registration of STATIC mappings are:
* Unbound config to register
* Some DHCP server enabled
* Static entries defined for that server
* Static entries feature a hostname (if the domain name is empty, the OPN domain name is used)
* Unbound restarted after static entry update
I think I've seen a thread wrt entries not being picked up until the host requests the IP but I don't understand why it would be the case (given my understanding of the integration).

For PKI, I was referring to this in the OP:

But for internal stuff, I am using self-signed certs (intermediate CA)

.
I was wondering what that meant. OPN? CA software on premises? something else?

[EricPerl]

For KPI I did create a CA on a VM, created intermediate + certs. Then powered off. Obviously internal only. That was a few years ago.
I have toyed with the idea of using OPN instead when the time to renew comes along. It seems a neat piece of functionality to have there.

Can you share the software used in that VM?

[Monviech (Cedrik)]

Most likely openssl.

[cookiemonster]

Yes that's right, openssl.
The specific resource I always resort to when in doubt is https://www.feistyduck.com/library/openssl-cookbook/online/
For your own PKI is the chapter 15, and without OCSP so there is no need for OCSP responders. Feistyduck is my first go-to for all openssl doubts I have. Keep it in your pocket :)

[JamesFrisch]

AFAIK, the prerequisite for DNS registration of STATIC mappings are:

Ahh sorry, I don't mean static I mean the IPs that devices got from SLAAC.

[EricPerl]

Unbound can only deal with dynamic leases from ISC. The setting is "Register ISC DHCP4 Leases" for that reason.
Static leases are read from the OPNsense config...

[meyergru]

...and they are being re-read only after an Unbound restart, different than dynamic leases.

[JamesFrisch]

Unbound can only deal with dynamic leases from ISC. The setting is "Register ISC DHCP4 Leases" for that reason.
Static leases are read from the OPNsense config...

Sorry for being dense, but does that mean that in a IPv6 only VLAN, unbound has no way of knowing clients?
Does that mean that device1.home.arpa will always get an IPv4 as response?

[meyergru]

That is no dumb question: With Unbound and ISC DHCP, it seems so:

unbound_watcher.py watches /var/dhcpd/var/db/dhcpd.leases and shoves that into /usr/local/etc/unbound_dhcpd.conf, when a lease is detected.

There seems to be no equivalent for /var/dhcpd/var/db/dhcpd6.leases.

This also depends on how the clients get their IPv6 - with router advertisements, nobody would even notice a new device (at least for RADVD). Many clients, if at all, use DHCPv6 to get DNS info only, not to allocate them an IPv6.

But I thought that your ISP has static IPv6, so you can put any client, that you need addressable, into DNS statically.

[JamesFrisch]

So if I understand it correctly:

A default Ubuntu gets three IPs.
First one I can't use (is not static because privacy extension).
Second one has a static suffix, plus a static prefix, because the prefix from my ISP is static.
Third one is link local. Will not work over different VLANs.


So I could use the second or third one. But then I am back to the old IPv4 way of remembering IPs instead of using DNS.
Could I use mDNS instead? This should work out of the box without any changes from my part?
Would mDNS be stable enough to be used in a reverse proxy as proxy_pass?
Probably too risky, right?

[Patrick M. Hausen]

You just let your system come up with whatever IPv6 GUA it gets from the ISP, then enter that in your DNS manually. Same for each internal SLAAC address of devices you want addressable and which do not use privacy extensions. Servers usually don't.

The addresses are configured automatically but static in nature, i.e. stay the same over reboots etc. So check what you got, enter that in DNS, done.

[JamesFrisch]

Cheers Patrick for your answer.
I think Ubuntu (netplan) does, but not Debian.

Hmm... Not really what I wanted to hear to be honest :)

If I have to enter the IP to my DNS manually, why even bother?
Just so I can enter the hostname into the proxy_pass instead of that IP?
Sounds like the same amount of work, but now my proxy is dependent on the DNS.

What I wanted to hear is:
SLAAC just like IPv4 watches for new DHCP leases.
But just like @meyergru said;

There seems to be no equivalent for /var/dhcpd/var/db/dhcpd6.leases.

Which brings me to my next question.
Should I use DHCPv6 for these VLANs?
I again can't really find any advantages, am I missing something?

By assigning IPv6 with DHCPv6, my client gets a static IP, and this is hopefully also registered in the DNS.
But at the same time, my client gets a static IP anyway, so again, sounds like the same amount of work, but now my proxy is dependent on the DNS.

Is DHCPv6 only really useful, if you don't have a static prefix?

[Patrick M. Hausen]

I only need DNS names for things I want to access as a server. And they are again pretty static in nature, they do not come and go.

Laptops and mobile devices - why bother naming them at all? You apply different security policies not by DNS name or IP address but by VLAN. All devices that should be treated the same go into the same VLAN. I don't care which is which.

Additionally I have Avahi on all my Linux and BSD systems, so e.g. "ssh pi1.local" works - and uses IPv6 😉

[grind]

Laptops and mobile devices - why bother naming them at all?

Because it's easier to debug. If I see "Foo's iPhone" in the tcpdump, I directly know what device it is. If I just see an ip address, I have to grep in the dhcp leases, what device it is.