DNS and domain options for DHCPv6 and Router Advertisements, multiple issues

[maurice-w]

Parameters in dhcpdv6.conf, configured via services_dhcpv6.php

1. OPNsense sets the domain-name parameter, both as a global option (system domain) as well as a subnet-specific option (Domain name field). However, this is a DHCPv4 option and is ignored by dhcpd6. DHCPv6 uses the dhcp6.domain-search option only.
   1.1 The global domain-name option (set to the system domain) should be renamed to dhcp6.domain-search.
   1.2 The Domain name field should be removed from services_dhcpv6.php.
   1.3 The Domain search list field should set the subnet-specific dhcp6.domain-search option. Currently it sets the domain-search option (which is ignored by dhcpd6 because it's a DHCPv4 option).
2. If no Range is specified, all subnet-specific options are missing. The options should always be there (to allow stateless DHCPv6 mode).
3. There are two additional global DHCPv4 options which should be removed:
   option ldap-server code 95 = text;
option domain-search-list code 119 = text;

Reference (ISC DHCP 4.3 Man pages):
https://www.isc.org/wp-content/uploads/2017/08/dhcp43.html
https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html

Parameters in radvd.conf, configured via services_router_advertisements.php

1. RDNSS
   1.1 If addresses are entered into the DNS servers fields, the RDNSS option is missing. It should be set to the specified addresses.
   1.2 If the DNS servers fields are left blank and Unbound is disabled, the RDNSS option is missing. It should be set to the IPv6 DNS servers configured via system_general.php.
   1.3 Enabling Use the DNS settings of the DHCPv6 server has no effect. It should set RDNSS to the DNS servers configured via services_dhcpv6.php.
2. DNSSL
   2.1 The Domain search list field is supposed to set DNSSL to the specified domains, but has no effect. DNSSL is always set to the system domain.
   2.2 If a Domain name(!) is specified via services_dhcpv6.php(!), DNSSL is set to this domain. This should... not happen.

I hope that's all. Tested with OPNsense 18.1.5, but these issues are not new. A domain and two IPv6 DNS servers are configured via system_general.php. The LAN interface has a static IPv6 address, Router Advertisements are set to Assisted and the DHCPv6 server is enabled.

[fichtner]

RDNSS should be fixed via 94df5fb:

# opnsense-patch 94df5fb

DNSSL should be fixed via d286e9a:

# opnsense-patch d286e9a

Cheers,
Franco

[fichtner]

Where is a reference to IPv4-only code 95 and 119 ?

[fichtner]

Doesn't domain-search-list collide with dhcp6.domain-search and we should use to set the former domain-search-list servers as dhcp6.domain-search if set or use the domain name like DNSSL?

[maurice-w]

Hi Franco,

Thanks for looking into this. RDNSS and DNSSL seem to be solid now! I can't reproduce the bugs after applying the patches.

Regarding DHCP options: "LDAP" (95) and "Domain Search" (119) can be found in IANA's DHCPv4 options list: https://www.iana.org/assignments/bootp-dhcp-parameters
For DHCPv6, the options are completely different. 95 is "OPTION_S46_CONT_MAPT" and 119 is "OPTION_F_DNS_FLAGS": https://www.iana.org/assignments/dhcpv6-parameters

Regarding dhcp6.domain-search: Could you clarify? I don't see the conflict.
Currently dhcpdv6.conf looks like this:

option domain-name "systemdomain.example.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;

[...]

subnet6 2001:db8:1:1::/64 {
  range6 2001:db8:1:1::10 2001:db8:1:1::ff;
  option domain-search "subnetdomain.example.com";
  option dhcp6.name-servers 2001:db8:1:1::a;
}

It should look like this:

option dhcp6.domain-search "systemdomain.example.com";

[...]

subnet6 2001:db8:1:1::/64 {
  range6 2001:db8:1:1::10 2001:db8:1:1::ff;
  option dhcp6.domain-search "subnetdomain.example.com";
  option dhcp6.name-servers 2001:db8:1:1::a;
}

Cheers,
Maurice

[fichtner]

Hi @maurice-w,

Thank you for your help, it's tremendously useful! ❤️

• Removal of domain-search-list from both v4 and v6, it is unused fb31e54
• Removal of ldap-server from v6 e6e578c

Could you also double-check the previous cleanup for avoiding unconditional addition of dhcp6.name-servers discussed in the forum? 5e41585

Cheers,
Franco

[fichtner]

Now for the complicated part: "Domain search list" exists in the services_dhcpv6.php page, should this not be merged with the domain-name -> dhcp6.domain-search transition and follow a similar DNSSL logic: system domain if no custom servers defined?

And for services_dhcpv6_edit.php do we also want "Domain search list" ?

[fichtner]

@maurice-w dod you have time to check these yet? I've queued up what we have for the upcoming 18.1.9, but there are still 2 open issues.

[fichtner]

@maurice-w some things are still open but everything else has been shipped already. happy to finish this up with your help. just let me know when you have time.

[fichtner]

@maurice-w ping :)

[fichtner]

closing until further feedback is given

[maurice-w]

I recently noticed that the Domain Search List option is still missing in DHCPv6 replies. I rediscovered this old issue and created a pull request which should fix it.
What remains to be done is replacing the global domain-name option and removing the Domain name field from services_dhcpv6.php.

Now for the complicated part: "Domain search list" exists in the services_dhcpv6.php page, should this not be merged with the domain-name -> dhcp6.domain-search transition and follow a similar DNSSL logic: system domain if no custom servers defined?

Yes, it should.

And for services_dhcpv6_edit.php do we also want "Domain search list" ?

Probably. We definitely don't want the Domain name option which is currently there. It simply doesn't exist in DHCPv6.

[fichtner]

Im not able to trace back what we were discussing back then: dhcp6.domain-search looks ok now and domain-name should be generally removed. Am I missing something else?

[maurice-w]

• The global domain-name option (set to the system domain) should be renamed to dhcp6.domain-search.
• Same for static mappings.
• The interface-specific domain-name option should be removed.

I created another pull request, please double check.