Bug #9893
closedRDNSS is broken in 2.5 for Android and leightweight Clients
0%
Description
Version of PfSense under Test:
2.5.0-DEVELOPMENT (amd64)
built on Sun Nov 10 20:08:03 EST 2019
FreeBSD 12.0-RELEASE-p10
The changes in https://redmine.pfsense.org/issues/9302 break RDNSS when using Managed or Stateless DHCP on the RA Tab of the DHCPv6 Server & RA Setup.
Looking in the /var/etc/radvd.conf shows the RDNSS and DNSSL entries are missing.
The effect is that clients which do not utilize DHCP for DNS (ie Android and other light weight devices ) no longer get DNS information. It should be noted that these clients work as expected in 2.4.4 and even with Managed or Stateless DHCP it is a valid use case that these clients are to work.
Fix would be to roll back change 9302.
Bug 9302 should never have been accepted as a bug. pfSense was working correctly per RFC before change 9302 was incorporated.
RFC 8504 Chapter 8 provides overview of Configuring Non-Address Information and states that IPv6 Router Advertisement Implementations MUST include support for the DNS RA option [RFC8106]. This has been in effect since 2017.
This is regardless of the Flags (M or O) as these are to inform the client of the availability of a DHCP server, not to tell the router to turn off Router Announcement Functionality.
RFC 8106 Chapter 5.3 spells out what hosts are to do when they receive DNS Servers from both DHCPv6 and RDNSS.
In my production Network using 2.4.4 with Stateless DHCP, a Windows ipconfig /all shows:
DNS Servers . . . . . . . . . . . : 2605:e000:fe8c:8f64:a:b:c:2b0b (address of pihole DNS provided by DHCPv6) 10.23.64.15 (address of pihole DNS provided by DHCPv4) 2605:e000:fe8c:8f10:a:b:c::2b01 (address of System DNS provided by RDNSS)
The Windows machine will use the DNS servers in the order as shown as is required by RFC 8106. In my configuration if the pihole server DNS were to go down then the system DNS will still be operational. This is especially useful if the prefix provided by the ISP were to change as the DHCP DNS servers will have to be manually edited, but system DNS is automatically updated to the new prefix.
In the Test of 2.5.0 the last entry is no longer being provided via RDNSS so there is no way to provide the system DNS as the fallback DNS.
I left more feedback at https://redmine.pfsense.org/issues/9302
Updated by Elbin Teh about 5 years ago
While this is convenient to you as you have a dynamic prefix, there are some situations where this might not be desired.
RDNSS and DNSSL in RA are optional configurations as per the RFC. It’s up to the network administrator to configure these as necessary, depending on the network.
In pfSense 2.4.4, using Managed mode (M flag set) or Stateless DHCP (O flag set), there was no way of not configuring RDNSS. Even if the DNS servers fields in RA configuration were left blank pfSense would advertise either the Interface address of the DNS Forwarder or Resolver (if enabled) or fallback to the system DNS server.
This also violates the RFC you specified as it doesn’t give the network administrator the option to disable RDNSS or DNSSL. When these fields are not configured or intentionally left blank in the RA configuration, IMHO, pfSense should allow RDNSS or DNSSL to be disabled (if that is desired by the network administrator).
As per RFC 8106, section 1.1 states that RDNSS in RA is not a MUST:
RA-based DNS configuration is a useful alternative in networks where an IPv6 host's address is autoconfigured through IPv6 SLAAC and where either (i) there is no DHCPv6 infrastructure at all or (ii) some hosts do not have a DHCPv6 client. The intention is to enable the full configuration of basic networking information for hosts without requiring DHCPv6. However, for networks that need to distribute additional information, DHCPv6 is likely to be employed. In these networks, RA-based DNS configuration may not be needed.
Updated by Rick Coats about 5 years ago
You need to read to the end of RFC 8106. Section 1 is the rational why RDNSS was added to the Router Announcements.
It states in Section 1.2 that Hosts that conform to RFC 4861 Neighbor Discovery for IP version 6:
"MUST extract DNS information from RA messages, unless static DNS
configuration has been specified by the user. If there is DNS
information available from multiple RAs and/or from DHCP, the host
MUST maintain an ordered list of this information as specified in
Section 5.3.1."
RDNSS and DNSSL in RA are not optional. This has been the case since at least 2017 when IPv6 was standardized in RFC 8200 (STD: 86) Internet Protocol, Version 6 (IPv6) Specification.
See also RFC 8504, Best Current Practice 220, IPv6 Node Requirements.
Chapter 8. Configuring Non-address Information, specifically 8.3
"8.3. IPv6 Router Advertisement Options for DNS Configuration - RFC 8106
Router Advertisement options have historically been limited to those
that are critical to basic IPv6 functionality. Originally, DNS
configuration was not included as an RA option, and DHCP was the
recommended way to obtain DNS configuration information. Over time,
the thinking surrounding such an option has evolved. It is now
generally recognized that few nodes can function adequately without
having access to a working DNS resolver; thus, a Standards Track
document has been published to provide this capability [RFC8106].
Implementations MUST include support for the DNS RA option [RFC8106]."
I think the real issue is making certain that the RDNSS DNS Server is the correct DNS. Currently it can be manually set by the network administrator. The wording is pretty clear. Leave blank to use the system default DNS servers - this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the General page.
Updated by Elbin Teh about 5 years ago
The extract that you've posted is in Section 1.2 which immediately follows Section 1.1 (which describes how RDNSS in RA is a useful alternative and may not be needed in some cases).
Section 1.2 explains the case where DNS information is present in BOTH RA and DHCPv6 Options. In such a case, then IPv6 host MUST extract the DNS information from the RA messages along with the information from DHCPv6. However, the author does not mention that RDNSS and DNSSL are mandatory Options in IPv6 ND messages.
In Section 4, it is also suggested that an "IPv6 host CAN configure one or more RDNSSes via RA messages" and that "RA options for RDNSS and DNSSL CAN be used". "MUST" is not used.
The existing ND message (i.e., RA) is used to carry this information. An IPv6 host can configure the IPv6 addresses of one or more RDNSSes via RA messages. Through the RDNSS and DNSSL options, along with the Prefix Information option based on the ND protocol [RFC4861] [RFC4862], an IPv6 host can perform the network configuration of its IPv6 address and the DNS information simultaneously without needing DHCPv6 for the DNS configuration. The RA options for RDNSS and DNSSL can be used on networks that support the use of ND.
Regarding [RFC 8504]
Implementations MUST include support for the DNS RA option [RFC8106]
This can be interpreted as "having the ability to process/understand DNS RA option when being received", rather than mandating it to be set in the RA.
Updated by Rick Coats about 5 years ago
We are just going to have to disagree then because multiple RFC's say the same thing. I have been writing and reading specs for 30 years and requirements words have specific meanings. The word CAN in an overview paragraph does not make it optional. "MAY" is optional, "CAN" is equivalent to "is able to". If they wanted it to be optional they would have said MAY configure.
"2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]."
These are the words that establish requirements. Everything else is explanation and clarification.
Regardless, what is your goal with this change? What is it you are trying to accomplish in your pfsense configuration that you can't now?
The only outcome of this change is that you will have a router that will prevent ipv6 compliant hosts on your network from being able to receive the DNS server you want. The result will be that these hosts will just use Google DNS. IPv6 hosts are not required to support DHCP and many of them do not.
I think paragraph 8.3 of RFC 8106 states it best. Router Advertisements are limited to critical functionality, and now DNS is considered to be part of that.
Updated by Jim Pingle about 5 years ago
- Status changed from New to Duplicate
- Priority changed from High to Normal
- Target version deleted (
2.5.0)
Rather than duplicate the info, let's keep all this on #9302 since it's the same issue.