nsd icon indicating copy to clipboard operation
nsd copied to clipboard
verified publisher icon NLnetLabs

Binding to non-SLAAC addresses only

Open eickeh opened this issue 1 year ago • 3 comments

First of all, thank you for all your work on nsd! It runs smooth and stable for quite some years for us! :tada:

Problem description

We just ran into one issue with IPv6 SLAAC addresses. As soon as the SLAAC address pops up after boot, nsd doesn't serve IPv6 UDP DNS requests to the static address anymore. The man page says the following:

ip-address: <ip4 or ip6>[@port] [servers] [bindtodevice] [setfib]
              NSD will bind to the listed ip-address. Can be given multiple
              times  to bind multiple ip-addresses. 
              [...]

              For  servers  with  multiple IP addresses that can be used to
              send traffic to the internet, list them one by  one,  or  the
              source address of replies could be wrong.  This is because if
              the udp socket associates a source address  of  0.0.0.0  then
              the  kernel picks an ip-address with which to send to the in‐
              ternet, and it picks the wrong  one.   Typically  needed  for
              anycast instances.  Use ip-transparent to be able to list ad‐
              dresses that turn on later (typical for certain  load-balanc‐
              ing).

So that's most likely the case here. As soon as I set my IPs like this, it works:

        ip-address: 0.0.0.0
        ip-address: <<my static v6 IP>>

So that's good. However, I would like to keep the nsd.conf as machine-agnostic as possible as I deploy it via Ansible on multiple hosts. So I wondered if one could incorporate an option that only binds to non-slaac addresses. What do you think?

System info:

OS: Debian 12.8 Version: 4.6.1

eickeh avatar Nov 19 '24 09:11 eickeh

Hi @eickeh! I'm not sure this is something we can handle conveniently in NSD(?) We don't provide anything special to getaddrinfo (click here for details) when binding. This almost feels like it has more to do with the default interface being updated on the system? However, I'm by no means an expert when it comes to interface/route configurations, so there's a good chance I'm wrong. If there's a convenient way for us to add this, I'm happy to look into it.

k0ekk0ek avatar Nov 26 '24 14:11 k0ekk0ek

Hmm, I read a bit further and I found no good way to handle additional SLAAC addresses on servers and easiest thing is to just turn SLAAC off. So thanks but I guess you're right - the problem is not that nsd doesn't bind to the address, but that the response comes from the wrong IP.

Please somebody correct me, if there is a good way that I missed.

eickeh avatar Dec 05 '24 11:12 eickeh

@eickeh there's not a great way to do it cross-platform. Linux has IFA_F_TEMPORARY and *BSD generally has IN6_IFF_TEMPADDR to avoid some of it.

nsd.410.diff.txt

jaredmauch avatar Aug 03 '25 21:08 jaredmauch