To chime in here, how I have always implemented Anycast DNS
is by creating additional Loopback adapters in the OS, and then
using BGP or OSPF to distribute said Loopback IPs into a routing
table.
Each DNS server participating in Anycast would have the same
IPv4 and IPv6 address configured on that loopback adapter.
e.g:
/etc/hostname.lo1:
inet 192.0.2.53/32
inet6 2001:db8:dead:beef::53/128
/etc/ospfd.conf and /etc/ospf6d.conf:
router-id 192.0.2.53
fib-update no
stub router yes
auth-type crypt
auth-md 1 "mysecretkey"
auth-md-keyid 1
area 0.0.0.0 {
interface em0
interface lo1 {
passive
}
}
Aside from that, I also believe that if you are going by the old RFCs
The "0" address is reserved as the anycast, so you would have to use
2001:db8:dead:beef::/128 in that case.
On Fri, May 17, 2019 at 8:21 AM Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2019/05/16 23:37, Rachel Roch wrote:
> >
> >
> > > RFC3513 says this:
> > >
> > > o An anycast address must not be used as the source address of
> > > an IPv6 packet.
> > >
> > > o An anycast address must not be assigned to an IPv6 host, that
> > > is, it may be assigned to an IPv6 router only.
> > >
> > > And to help ensure this, the kernel denies binding to an address marked
> > > with the anycast flag (see netinet6/in6_pcb.c).
> > >
> > > This was obsoleted by RFC4291, including this change:
> > >
> > > o The restrictions on using IPv6 anycast addresses were removed because
> > > there is now sufficient experience with the use of anycast addresses,
> > > the issues are not specific to IPv6, and the GROW working group is
> > > working in this area.
> > >
> > > So I think this restriction can now be removed, at least with this
> > > change, but more might be needed
> > >
> >
> > Certainly in my case the current OpenBSD situation represents a bit too
> > much "nanny knows best".
>
> No, it represents "following the (old) RFCs".
>
> > My use-case is anycast DNS with NSD and Unbound.
> >
> > Both NSD and unbound provide config parameters that allow distinguishing
> > between listen address and source address.
> >
> > But then again, is there any real reason to use the anycast flag ? To make
> > NSD and unbound work I reconfigured to remove the anycast flag from IPv6
> > addresses and nothing seems broken ?
> >
>
> If you are doing a typical "internet anycast services" setup with some
> routing protocol announcing the anycasted address then I don't see a use
> for the flag, AFAICT it was mostly in conjunction with using an anycast
> address for a local router, it feels like the usual IPv6 overengineering
> to me..
>
