ISC deprecation issues

[stanthewizzard]

Hello

I understand that ISC will be deprecated end of month.
Switching to a plugin for "legacy" purposes.

I want to know if
KEA or Dnsmasq DNS&DHCP can do the same magic that I have with ISC : prepopulation of subnet, subnet mask and available range form the LAN IPv6 ?

My ISP can change the IPv6 from time to time and this functionnality from ISC is a game changer in my case

Thanks for help

[Monviech (Cedrik)]

If you have a changing prefix use dnsmasq for dhcpv6, it can construct from a partial prefix:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

[meyergru]

There is a problem with your approach with ISC DHCPv6 as well: The prefix change will potentially go unnoticed for as long as your lease time, because your clients will use the old prefix for as long.

With dynamic IPv6 prefixes, you basically have two choices:

a. Use SLAAC in "assisted" mode, where DHCPv6 only supplies the DNS server (besides RDNSS) - if at all, because DNSv4 is sufficient to supply both IPv4 and IPv6 resolution. This is the safest/easiest approach and shown here. Any local traffic is done via IPv4, such that you do not need DHCPv6 to supply specific IPv6 to your devices in order to adress those in DNS.

b. If you need to have fixed IPv6, you will need to use some adresses on top of GUA that you can use for internal DNS purposes. Keep in mind that ULA will probably not work, because it is prioritized lower than even IPv4. Still, you can use any unused IPv6 prefix.

[stanthewizzard]

There is a problem with your approach with ISC DHCPv6 as well: The prefix change will potentially go unnoticed for as long as your lease time, because your clients will use the old prefix for as long.

With dynamic IPv6 prefixes, you basically have two choices:

a. Use SLAAC in "assisted" mode, where DHCPv6 only supplies the DNS server (besides RDNSS) - if at all, because DNSv4 is sufficient to supply both IPv4 and IPv6 resolution. This is the safest/easiest approach and shown here. Any local traffic is done via IPv4, such that you do not need DHCPv6 to supply specific IPv6 to your devices in order to adress those in DNS.

b. If you need to have fixed IPv6, you will need to use some adresses on top of GUA that you can use for internal DNS purposes. Keep in mind that LUA will probably not work, because it is prioritized lower than even IPv4. Still, you can use any unused IPv6 prefix.

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

Not a single failure for ages but I do rely on ISC DHCPv6

thanks

[stanthewizzard]

If you have a changing prefix use dnsmasq for dhcpv6, it can construct from a partial prefix:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

Thank you :)
Already looked at it but I don't need dnsmasqu at all. Overkill for DHCP only ?

[meyergru]

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.

But then, why / how do you rely on ISC DHCPv6?

I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).

Frankly, I do not get what you are missing.

[stanthewizzard]

every server inside the lan (homelab) has a statiq IP fddd:31e8:3076:XX:YY
DHCPv6 with prefix and RA managed on carpv6 (also updated with IPv6 changes) and RA advertises fddd:31e8:3076:XX:YY
Do not send any DNS configuration to clients

fddd:31e8:3076:: is an ULA prefix that is not routed outside of your LAN, unless you use NAT66 or you still have the assigned GUA prefix IPv6s on top for outside access. If you use those ULA IPs for server access, fine.

But then, why / how do you rely on ISC DHCPv6?

I can see only two things it could provide: routeable IPv6 addresses, which can be handed out via SLAAC as well and leases and/or reservations which allow to use internal DNS names (which you say you do not use).

Frankly, I do not get what you are missing.

Oupsi
yes you are right
and it's on purpose (internal dns for exemple with no wan rights)

then ISC DHCPv6 gives wan routable ipv6 from my ISP (2 servers are ban from being contacted from the outside world) to other devices (iphones windows mac etc)

[Patrick M. Hausen]

ISC DHCPv6 gives wan routable ipv6 from my ISP [...] to other devices

SLAAC can do that without any DHCP present at all.

[stanthewizzard]

ISC DHCPv6 gives wan routable ipv6 from my ISP [...] to other devices

SLAAC can do that without any DHCP present at all.

Yes but at my knowledge without fixed IPs ?

[Patrick M. Hausen]

The IPs will be automatic but predictable and stable. Unless the clients use privacy extensions but they are free to do that with DHCP, too.

A server configured with SLAAC will always get the same GUA unless its MAC address changes.

[meyergru]

And the difference to DHCPv6-derived IPs is that SLAAC-provided IPs are pushed, i.e. they are applied immediately when the GUA prefix changes.

The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.

[stanthewizzard]

And the difference to DHCPv6-derived IPs is that SLAAC-provided IPs are pushed, i.e. they are applied immediately when the GUA prefix changes.

The only thing you do not have is "known" static IPv6s that you can reference in DNS names (because the prefix can change). Usually, you do not need them anyways, because you can always use the IPv4 for internal purposes in DNS. All of that is covered in the HOWTO I linked above.

https://forum.opnsense.org/index.php?topic=45822.0
This one ?
Thanks again

[meyergru]

Yes, I linked it in my first answer.

[stanthewizzard]

Yes, I linked it in my first answer.

Thanks I'll read it (didn't see it the first time)