How does SLAAC for ipv6 work with the DNS Search List (DNSSL) option

[allebone]

If you configure slaac unmanaged how does the search list option work exactly?

For example if you set in the field the domain to be "workgroup.internal" and a slaac client has a hostname "client1" how does name resolution work/supposed to work?

If I ping -6 "client1.workgroup.internal" it does not work. Is there a missing piece here, do I need to configure something on unbound? How would a slaac client register its hostname?

[Patrick M. Hausen]

It doesn't. The search domain defines what the client appends when requesting a domain name from the name server. Registration of names is not something SLAAC covers.

[meyergru]

Right. SLAAC is meant to give IP adressed to clients. They can even take up random IPs (e.g. with privacy extensions). Those are for outbound access, mostly.

If you want to make your clients addressable by name, you can use these mechanisms:

1. IPv4 only (this is the simplest and my recommendation): Do not bother to make your clients addressable by IPv6 at all.
2. Via DHCPv6. While this works, the DNS entries hold as long as your DHCP lease time and thus, may be wrong with dynamic prefixes.
3. With static prefixes: Use SLAAC and hope that the client uses EUI-64 (potentially among others). Then you can statically namen your clients via PREFIX:EUI-64. In this case, you can also use DHCPv6.
4. With dynamic prefixes: ULAs may be your friend, but note that they are prioritized LOWER than even IPv4 - contrary to popular belief).

Because most people have dynamic prefixes, I prefer to use 1., but with SLAAC for outbound access only. This is all covered here: https://forum.opnsense.org/index.php?topic=45822.0

[klinebau]

I am using dnsmasq with SLAAC and RA-NAMES.  This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.  I find this to be very convenient.  It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.

[OPNenthu]

I have high hopes for the new hostwatch db/service to help with this, even if some non-standards based solution is needed in OPNsense.

The problem with 1. above is that the client's SLAAC GUA is the one that shows in logs (e.g. Unbound & F/W live view), and this might even be a temporary address from privacy extensions.  It's not resolvable to a hostname so tracking clients is more work.  I usually have to work backwards from NDP to find the MAC and then cross-reference manually in Leases.

A future OPNsense update could leverage the hostwatch data to auto-register SLAAC clients in DNS, maybe?  It could discover and track the temporary addresses this way.

🤞

I am using dnsmasq with SLAAC and RA-NAMES.  This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.

I will have to re-check my Dnsmasq settings but this doesn't always work me.  It works for clients in the DHCP pool but not for hosts entries.

Maybe I did something wrong.

[klinebau]

RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

[allebone]

I am using dnsmasq with SLAAC and RA-NAMES.  This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.  I find this to be very convenient.  It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.

How do I configure this option?

Many thanks
P

[allebone]

Since slaac unmanaged addresses never change on the clients, the client always chooses the same ipv6 address, can I also use a strategy where I just create AAAA on unbound for computers I need to dns resolve to? Is this correct?

I should note I have a /56 static from my provider.

[meyergru]

If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.

Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.

[allebone]

If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.

Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.

Seems like neither my ubuntu boxes or windows boxes have FFFE in the addresses so guess they all use private ip's.

However they also never seem to change ever. I have had many opportunities for them to change with things down for various changes and they seem to always get the exact same address always.

Is an override in unbound the same as setting an aaaa record? Am I right to assume the ipv6 wont change on clients?

[meyergru]

That depends. Cliets are free to use many IPv6 at the same time: LL, ULA and GUA, and also multiple ones of the latter.
For outbound access, they have means to determine what is best (like if they use privacy extensions, they will use a random GUA preferably). For inbound access, they will react to any of them. So, if you want to have a permanent DNS handle, you would use the EUI-64 GUA (or ULA for dynamic prefixes).

As said, many clients derive that from the MAC, Windows does not, but AFAIK, the EUI-64 part still is static.

For Ubuntu and other Linuxes, I normally see MAC-derived EUI-64 parts with SLAAC, so IDK what the reason is that your see otherwise - maybe some DHCPv6 service is in play?

[Patrick M. Hausen]

For Ubuntu and other Linuxes, I normally see MAC-derived EUI-64 parts with SLAAC, so IDK what the reason is that your see otherwise

My - educated - guess is that server variants of e.g. Ubuntu use EUI-64 based SLAAC while desktop variants enable privacy extensions.
I don't run desktop Linux but that's what I would expect.

[OPNenthu]

In NetworkManager there is an option "IPv6 address generation mode," which can be set to either "stable privacy" or "EUI64."  This is separate from the privacy extensions mode.

On my linux desktop "stable privacy" is the default, which does not derive from the MAC address but rather generates a unique address that remains stable on a per-network basis.  If you change networks (or NICs, I guess) you get a different one.

RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

I'm not near my OPNsense now but can verify later this week.  The host which is failing to register does have an IPv4 reservation by MAC.  However, the same client has reservations on multiple ranges/domains so that it always gets a .100 address no matter which VLAN I move it to.  Maybe that causes some problem.

[klinebau]

How do I configure this option?

I used the configuration example right out of the dnsmasq documentation (https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples).  The only difference is that I used RA-STATELESS and RA-NAMES for the RA Mode.

[nero355]

My - educated - guess is that server variants of e.g. Ubuntu use EUI-64 based SLAAC while desktop variants enable privacy extensions.

It's whatever you make of it or whatever the used networking software is by your distro :

- Ubuntu and from what I heard also the latest Raspberry Pi OS like Netplan which then influences NetworkManager.
- Most Desktop installs use NetworkManager as the Default too.
- Debian also has /etc/network/interfaces and others based on it usually do too...
However for some years now it seems NetworkManager is the way to go in the future!
- Then there is also dhcpcd.conf which mainly Raspberry Pi RaspBian has used in the past...
- And then there is also the option to avoid all of those and just use SystemD for all your networking stuff ;)

In NetworkManager there is an option "IPv6 address generation mode," which can be set to either "stable privacy" or "EUI64."  This is separate from the privacy extensions mode.

On my linux desktop "stable privacy" is the default, which does not derive from the MAC address but rather generates a unique address that remains stable on a per-network basis.  If you change networks (or NICs, I guess) you get a different one.

This document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html