Re: [libvirt] [PATCHv2] handle DNS over IPv6
On Thu, Jan 06, 2011 at 09:45:04PM +0100, Paweł Krześniak wrote:
2011/1/6 Daniel P. Berrange <berrange(a)redhat.com>:
> While it is shorter to just use '--interface brname' this comes
> at the price of loosing compatibility with older dnsmasq which
> we still wish to support.
sure. RHEL5 is important target :)
> If we used '--listen-address $IPV4ADDR --listen-address $IPV6ADDR'
> then people with dnsmasq < 2.48 can still use the virtual network
> capability in a IPv4 only context without problems. Only those
> people who actually needed IPv6 DNS would have to upgrade to
> newer dnsmasq.
hack for users of old dnsmasq and ipv6 needs is nodad option for
/sbin/ip tool - read below.
> Do you have any idea what causes the delay ? In particular is
> the delay caused by the use of --listen-interface, or caused
> by the addition of IPv6 addrs ?
Delay is caused by DAD.
http://en.wikipedia.org/wiki/IPv6_address#Duplicate_address_detection
It's caused by IPv6 address, not by --listen-interface option:
# killall dnsmasq ; ip a del 2001:db8::1 dev wlan0 ; ip a add
2001:db8::1 dev wlan0 ; time dnsmasq --strict-order --bind-interfaces
--conf-file= --except-interface lo --listen-address 2001:db8::1
dnsmasq: no process killed
real 0m2.008s
user 0m0.000s
sys 0m0.006s
# killall dnsmasq ; ip a del 2001:db8::1 dev wlan0 ; ip a add
2001:db8::1 dev wlan0 ; time dnsmasq --strict-order --bind-interfaces
--conf-file= --except-interface lo --interface wlan0
real 0m2.006s
user 0m0.000s
sys 0m0.003s
We can add v6 address to interface with skipping DAD (nodad option for
/sbin/ip tool), but we can end up with duplicate v6 hosts on the same
network. Without DAD dnsmasq doesn't need to wait:
# killall dnsmasq ; ip a del 2001:db8::1 dev wlan0 ; ip a add
2001:db8::1 dev wlan0 nodad ; time dnsmasq --strict-order
--bind-interfaces --conf-file= --except-interface lo --interface
wlan0
dnsmasq: no process killed
real 0m0.017s
user 0m0.000s
sys 0m0.005s
> Based on your descriptions here it sounds like going for multiple
> --listen-address parameters offers the same level of overall
> functionality, but with better compatibility for people on older
> dnsmasq. So I'm not seeing a compelling reason to switch over to
> using --listen-interface
OK, I understand.
Final question: what about link-local ipv6 addresses (fe80::/10).
Should we --listen-address on them? (I think we should)
Will DNS actually work over link-local addrs? IIUC, since
link-local addrs are scoped to a specific interface, apps
wanting to send traffic via a link local address need to
explicitly specify the interface name. Practically no apps
will be do this and so they typically can't make use of
the link-local address. Mostly a link-local address is just
there for the purpose of allowing ipv6 autoconf to take
place at which point the real address is used. So I'm not
sure that we need/want to use --listen-address on the link
local addr.
Regards,
Daniel