How does SLAAC for ipv6 work with the DNS Search List (DNSSL) option

Started by allebone, February 24, 2026, 04:16:01 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
February 25, 2026, 07:46:02 PM #15
Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html

Ah, actually it looks like I was wrong about the NIC with "stable privacy" mode.  Per this document:

"Also, the address is stable when the network interface hardware is replaced."
N5105 | 8/250GB | 4xi226-V | Community
February 25, 2026, 09:58:25 PM #16
Interesting, thanks everyone. Based on the above Im going to simply create AAAA records for servers I want to access by name and see if after 1 year any ipv6 addresses changed. If they did I will just statically assign them an ipv6 address. This is very easy to do anyway. I would probably  just statically assign them going forward but want to see if they ever change out of interest.
February 25, 2026, 10:04:57 PM #17
One more question, if I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples

And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General - must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?

-P
February 26, 2026, 12:25:53 AM #18 Last Edit: February 26, 2026, 12:28:11 AM by nero355
Quote from: allebone on February 25, 2026, 10:04:57 PMIf I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples

And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General

Must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?
Please read : https://docs.opnsense.org/manual/radvd.html :)

Quote from: OPNenthu on February 25, 2026, 07:46:02 PM
Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html
Ah, actually it looks like I was wrong about the NIC with "stable privacy" mode.  Per this document:

"Also, the address is stable when the network interface hardware is replaced."
Was a quick reply so did not check everything, but you were on the right track for sure and that's what matters ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
February 26, 2026, 03:14:46 AM #19
So the answer is yes, they conflict.
February 26, 2026, 10:24:24 PM #20
Quote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

Hello, I have tried to configure this but have an issue. The router advertisements seem to be working to a degree because clients get the DHCP6 options I set (such as 23 - dns servers) correctly via RA. If I change the DNS servers they then receive the new values, however the DHCP range seems to not be 100%.

Under the leases tab I see (as an example):
<see image>

But the client does not get the ipv6 address 2607:f2c0:f00e:3512::18e5 as I would expect.

I have as you mentioned slaac and ra-names in DHCP range. If the client does not accept the ipv6 address Im not clear how this service helps resolve names?

Kind regards,
P
February 26, 2026, 11:20:05 PM #21
I have resolved my own issue with the "DHCP register firewall rules" option and I agree this method works perfectly and is very good. The clients keep their old slasc address so that still works but gain in addition another DHCP address.
February 26, 2026, 11:29:04 PM #22
You are all excellent. Every one of you should be proud of yourselves.
February 27, 2026, 02:05:09 PM #23
Unless you have a specific need, you might consider ditching DHCPv6 by using RA-STATELESS (instead of SLAAC).  There really isn't a need to assign addresses if the clients you need to reference are using EUI-64.  While identity association makes firewall rules easier to manage now, having fewer IP addresses is still easier to manage. YMMV
February 27, 2026, 11:43:57 PM #24 Last Edit: February 27, 2026, 11:50:35 PM by OPNenthu
Quote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

My issue with the Linux hosts might be that some of them are using the "stable privacy" mode rather than "EUI64," so I guess Dnsmasq has no way to know that and guess the stable GUA address.  Therefore it can't ping it for confirmation.

My Android clients are a bit different.  They have a privacy mode which uses a randomized MAC for each network, but they do generate an EUI64 address based on that randomized MAC.  So those get registered.

I guess the only way to simulate that on a desktop is to spoof the interface MAC and change the mode back to "EUI64," maybe.
N5105 | 8/250GB | 4xi226-V | Community
Print
Go Up Pages 1 2
User actions