feld, 1 month ago

@evilham is the only way to get hostnames automatically registered in DNS to use DHCPv6? I only do router advertisements where I have v6 right now

goetz, 1 month ago

@feld @evilham yes, to my knowledge.
But as I assign static hostparts via DHCPv6 anyways, this is not problem.

evilham, 1 month ago

@goetz @feld afaik, yes. But I don't use DHCPv6 beyond as a client for prefix delegation from ISP, internally I use SLAAC with the privacy extensions disabled for machines.
This means I just assign and route the /64s I need, and apply changes to the DNS zones, which I manage with the prefixes as a variable.
Then, ofc, firewalls usually have to be checked a tad, but provisioning takes care of the pf macros :-) and of programs that need the IP addresses (like pg_hba to limit hosts).

feld, 1 month ago

@evilham @goetz I want all my internal hosts registered in the local DNS like I do for IPv4 though -- forward and reverse 😭

feld, 1 month ago

@evilham @goetz > like pg_hba to limit hosts

honestly I prefer the same approach AWS uses here with RDS Postgres servers -- pg_hba is configured to allow connections from everywhere, then just limit access to the database with the firewall. Trying to add source host based ACL for each database on the postgres instance is kinda stupid

evilham, 1 month ago

@feld @goetz is it stupid though?

Yes, in certain cases it can be an overhead, but it really is just layered security. Should sth be funky with my firewall, each database can still only be accessed by their allowed hosts, also using authentication.

Of course this depends on the nature of the service, but I'd argue most of the time, the list of hosts that need access to a given database is pretty static and short.

I do prefer adding effective layers of security for little overhead :-).