NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

Rachel Roch
I'm still learning IPv6 intricacies, so forgive me if this is a silly question.

When I have interfaces set in the standard manner, e.g.:

inet6 2001:DB8:beef::1 128
up

NSD and Unbound will bind to that address without problem.

However if I add the anycast flag:
inet6 2001:DB8:beef::1 128 anycast
up

and then destroy and re-create the interfaces and  pkill and relaunch unbound and NSD, they both complain bitterly:

[2019-05-11 21:00:51.665] nsd[43360]: notice: nsd starting (NSD 4.1.27)
[2019-05-11 21:00:51.666] nsd[43360]: error: can't bind udp socket: Can't assign requested address
[2019-05-11 21:00:51.666] nsd[43360]: error: server initialization failed, nsd could not be started
[1557604863] unbound[69433:0] error: can't bind socket: Can't assign requested address for 2001:DB8:beef::1 port 53[1557604863] unbound[69433:0] fatal error: could not open ports

The interface shows correctly in ifconfig so I don't know what the problem is ?

This is on OpenBSD 6.5 if it makes any difference.

Reply | Threaded
Open this post in threaded view
|

Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

Stuart Henderson
(moving from misc to tech)

On 2019-05-11, Rachel Roch <[hidden email]> wrote:

> I'm still learning IPv6 intricacies, so forgive me if this is a silly question.
>
> When I have interfaces set in the standard manner, e.g.:
>
> inet6 2001:DB8:beef::1 128
> up
>
> NSD and Unbound will bind to that address without problem.
>
> However if I add the anycast flag:
> inet6 2001:DB8:beef::1 128 anycast
> up
>
> and then destroy and re-create the interfaces and  pkill and relaunch unbound and NSD, they both complain bitterly:
>
> [2019-05-11 21:00:51.665] nsd[43360]: notice: nsd starting (NSD 4.1.27)
> [2019-05-11 21:00:51.666] nsd[43360]: error: can't bind udp socket: Can't assign requested address
> [2019-05-11 21:00:51.666] nsd[43360]: error: server initialization failed, nsd could not be started
> [1557604863] unbound[69433:0] error: can't bind socket: Can't assign requested address for 2001:DB8:beef::1 port 53[1557604863] unbound[69433:0] fatal error: could not open ports
>
> The interface shows correctly in ifconfig so I don't know what the problem is ?
>
> This is on OpenBSD 6.5 if it makes any difference.
>
>

RFC3513 says this:

  o An anycast address must not be used as the source address of
    an IPv6 packet.

  o An anycast address must not be assigned to an IPv6 host, that
    is, it may be assigned to an IPv6 router only.

And to help ensure this, the kernel denies binding to an address marked
with the anycast flag (see netinet6/in6_pcb.c).

This was obsoleted by RFC4291, including this change:

  o The restrictions on using IPv6 anycast addresses were removed because
    there is now sufficient experience with the use of anycast addresses,
    the issues are not specific to IPv6, and the GROW working group is
    working in this area.

So I think this restriction can now be removed, at least with this
change, but more might be needed.

Index: in6_pcb.c
===================================================================
RCS file: /cvs/src/sys/netinet6/in6_pcb.c,v
retrieving revision 1.108
diff -u -p -r1.108 in6_pcb.c
--- in6_pcb.c 4 Oct 2018 17:33:41 -0000 1.108
+++ in6_pcb.c 13 May 2019 07:28:02 -0000
@@ -185,10 +185,6 @@ in6_pcbaddrisavail(struct inpcb *inp, st
  sin6->sin6_port = lport;
 
  /*
- * bind to an anycast address might accidentally
- * cause sending a packet with an anycast source
- * address, so we forbid it.
- *
  * We should allow to bind to a deprecated address,
  * since the application dare to use it.
  * But, can we assume that they are careful enough
@@ -197,8 +193,8 @@ in6_pcbaddrisavail(struct inpcb *inp, st
  * flag to control the bind(2) behavior against
  * deprecated addresses (default: forbid bind(2)).
  */
- if (ifa && ifatoia6(ifa)->ia6_flags & (IN6_IFF_ANYCAST|
-    IN6_IFF_TENTATIVE|IN6_IFF_DUPLICATED|IN6_IFF_DETACHED))
+ if (ifa && ifatoia6(ifa)->ia6_flags & (IN6_IFF_TENTATIVE|
+    IN6_IFF_DUPLICATED|IN6_IFF_DETACHED))
  return (EADDRNOTAVAIL);
  }
  if (lport) {

Reply | Threaded
Open this post in threaded view
|

Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

Rachel Roch


> RFC3513 says this:
>
>  o An anycast address must not be used as the source address of
>  an IPv6 packet.
>
>  o An anycast address must not be assigned to an IPv6 host, that
>  is, it may be assigned to an IPv6 router only.
>
> And to help ensure this, the kernel denies binding to an address marked
> with the anycast flag (see netinet6/in6_pcb.c).
>
> This was obsoleted by RFC4291, including this change:
>
>  o The restrictions on using IPv6 anycast addresses were removed because
>  there is now sufficient experience with the use of anycast addresses,
>  the issues are not specific to IPv6, and the GROW working group is
>  working in this area.
>
> So I think this restriction can now be removed, at least with this
> change, but more might be needed
>

Certainly in my case the current OpenBSD situation represents a bit too much "nanny knows best".

My use-case is anycast DNS with NSD and Unbound.

Both NSD and unbound provide config parameters that allow distinguishing between listen address and source address.

But then again, is there any real reason to use the anycast flag ?  To make NSD and unbound work I reconfigured to remove the anycast flag from IPv6 addresses and nothing seems broken ?

Reply | Threaded
Open this post in threaded view
|

Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

Henry Bonath
To chime in here, how I have always implemented Anycast DNS
is by creating additional Loopback adapters in the OS, and then
using BGP or OSPF to distribute said Loopback IPs into a routing
table.

Each DNS server participating in Anycast would have the same
IPv4 and IPv6 address configured on that loopback adapter.

e.g:
/etc/hostname.lo1:
inet 192.0.2.53/32
inet6 2001:db8:dead:beef::53/128

/etc/ospfd.conf and /etc/ospf6d.conf:
router-id 192.0.2.53
fib-update no
stub router yes

auth-type crypt
auth-md 1 "mysecretkey"
auth-md-keyid 1

area 0.0.0.0 {
        interface em0
        interface lo1 {
                passive
        }
}


Aside from that, I also believe that if you are going by the old RFCs
The "0" address is reserved as the anycast, so you would have to use
2001:db8:dead:beef::/128 in that case.

On Fri, May 17, 2019 at 8:21 AM Stuart Henderson <[hidden email]> wrote:

>
> On 2019/05/16 23:37, Rachel Roch wrote:
> >
> >
> > > RFC3513 says this:
> > >
> > >  o An anycast address must not be used as the source address of
> > >  an IPv6 packet.
> > >
> > >  o An anycast address must not be assigned to an IPv6 host, that
> > >  is, it may be assigned to an IPv6 router only.
> > >
> > > And to help ensure this, the kernel denies binding to an address marked
> > > with the anycast flag (see netinet6/in6_pcb.c).
> > >
> > > This was obsoleted by RFC4291, including this change:
> > >
> > >  o The restrictions on using IPv6 anycast addresses were removed because
> > >  there is now sufficient experience with the use of anycast addresses,
> > >  the issues are not specific to IPv6, and the GROW working group is
> > >  working in this area.
> > >
> > > So I think this restriction can now be removed, at least with this
> > > change, but more might be needed
> > >
> >
> > Certainly in my case the current OpenBSD situation represents a bit too much "nanny knows best".
>
> No, it represents "following the (old) RFCs".
>
> > My use-case is anycast DNS with NSD and Unbound.
> >
> > Both NSD and unbound provide config parameters that allow distinguishing between listen address and source address.
> >
> > But then again, is there any real reason to use the anycast flag ?  To make NSD and unbound work I reconfigured to remove the anycast flag from IPv6 addresses and nothing seems broken ?
> >
>
> If you are doing a typical "internet anycast services" setup with some
> routing protocol announcing the anycasted address then I don't see a use
> for the flag, AFAICT it was mostly in conjunction with using an anycast
> address for a local router, it feels like the usual IPv6 overengineering
> to me..
>