Hi,
Running Unbound 1.4.16, I cannot put "interface: fe80::…" into unbound.conf. It warns on startup that there's no IPv6 support. Yet, outgoing interface is default (:
and the default ::1 bind works. Finally, just setting it to "::0" to listen on all works, and that's what I've had to do, just using access control to limit it.
So what's happening? I'd love to only accept queries from the local link, and retrieve DNS data from v6-reachable name servers. Your help appreciated.
Cheers,
Sabahattin
At a guess (because I haven't explored this area with unbound): remember
that link-level addresses are per-interface and need a scope in order to
be interpreted.
A convention on KAME-derived systems is that you can attach the
interface name to the address as the scope, with %intf at the end of the
address.
Here you'll see how I can't even ping an IP address attached to an
interface on the same machine generating the pings, until I provide a
scope for interpretation.
% ping6 -n fe80::2e0:81ff:fe5c:8ea9
ping6: UDP connect: Network is unreachable
% ping6 -n fe80::2e0:81ff:fe5c:8ea9%bge0
PING6(56=40+8+8 bytes) fe80::2e0:81ff:fe5c:8ea9%bge0 --> fe80::2e0:81ff:fe5c:8ea9%bge0
16 bytes from fe80::2e0:81ff:fe5c:8ea9%bge0, icmp_seq=0 hlim=64 time=0.072 ms
^C
-Phil
Running Unbound 1.4.16, I cannot put "interface: fe80::…" into unbound.conf. It warns on startup that there's no IPv6 support. Yet, outgoing interface is default (: and the default ::1 bind works. Finally, just setting it to "::0" to listen on all works, and that's what I've had to do, just using access control to limit it.
So what's happening? I'd love to only accept queries from the local link, and retrieve DNS data from v6-reachable name servers. Your help appreciated.
At a guess (because I haven't explored this area with unbound): remember
that link-level addresses are per-interface and need a scope in order to
be interpreted.
I didn't know that about the zone ID, in fact (save one or two experiences with it), so thanks for increasing my knowledge. It does seem a bit silly though, given that the host can disambiguate this itself.
A convention on KAME-derived systems is that you can attach the
interface name to the address as the scope, with %intf at the end of the
address.
Yes. On Linux too, the zone ID is expressed as %interface EG %eth0. Now it works fine. Thanks! On Windows it seems to be %<interface-number>.
Cheers,
Sabahattin
In fact, the host cannot.
There are a number of situations where a host could have the same Link-Local IP address on two or more interfaces.
For example,
i) If it is using a trunk protocol to connect to multiple vlans on a single NIC
ii) If the Mac Address is not based on the NIC but on the CPU
In this situation, the host would not be able to know which interface to listen on, without the zone id.
Best regards
Arni
Arni Birgisson
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: arnib@menandmice.com
www.menandmice.com
First Choice in IP Address Management
Men & Mice Blog | Follow us on Twitter | Men & Mice on Facebook
Disclaimer : www.menandmice.com/disclaimer