Disable ipv6 in ddclient?

Hey!

I’m just now noticing an issue: my ddclient configuration looks like this:

# This file can be used as a template for configFile or is automatically generated by Nix options.
cache=/var/lib/ddclient/ddclient.cache
foreground=YES

usev4=cmdv4, cmdv4='/nix/store/[...]-curl-8.12.1-bin/bin/curl https://checkipv4.dedyn.io/'
usev6=disabled
login=[hostname]
password=@password_placeholder@
protocol=dyndns2

server=update.dedyn.io

ssl=yes
wildcard=YES
quiet=no
verbose=no

[hostname]

However, whenever the ipv4 changed, dedyn.io seems to automatically add an ipv6 to my hostname, probably due to the automatic determination described here: IP Update API — deSEC DNS API documentation

I also tried with the following configuration:

# This file can be used as a template for configFile or is automatically generated by Nix options.
cache=/var/lib/ddclient/ddclient.cache
foreground=YES

usev4=cmdv4, cmdv4='/nix/store/[...]-curl-8.12.1-bin/bin/curl https://checkipv4.dedyn.io/'
usev6=ipv6, ipv6=''
login=[host]
password=@password_placeholder@
protocol=dyndns2

server=update.dedyn.io

ssl=yes
wildcard=YES
quiet=no
verbose=no

[host]

But then ddclient fails with:

WARNING: [host][usev6=ipv6 ipv6=<undefined>]> not a valid IPv6 address
WARNING: [host][usev6=ipv6 ipv6=<undefined>]> did not find an IPv6 address
WARNING: [host]> unable to determine IPv6 address with strategy '--usev6=ipv6'

And then dedyn.io still adds an ipv6.

Do you know how I could actually disable the automatic ipv6 setting using newer versions of ddclient?

I also tried setting the host to update.dedyn.io&myipv6= as suggested in the desec docs, but then ddclient complains that https://update.dedyn.io&myipv6= is not a valid url. And trying with update.dedyn.io?myipv6= with usev6=disabled still also leads to an ipv6 being added to my hostname.

Do you know what the good way to not have any ipv6 set for my hostname is, with newer ddclient versions?

This is my last issue with desec, and I think I’m this close to a perfect setup! I already recommended your system to a few friends :smile:

I just tried one more alternative aka setting usev6=ipv6, ipv6='preserve', still without success: it’s detecting that preserve is an invalid ipv6, and I guess is not actually adding it to the request.

I’m a bit out of ideas of things to try; did anyone manage to disable ipv6 update with ddclient version 4.0.0?

I don’t use ddclient and I’m not a perl hacker :wink:

But you might try using a token that is scoped to only allow write access to the A record. (I haven’t tried this so it might not work.)

Good luck!
fiwswe

1 Like

Thank you for your answer! Unfortunately I just tried and doing so leads to the ipv4 updates to be ignored too, and ddclient just logging a failure :cry:

Maybe there’s any other recommended way of updating dynamic IP addresses, that wouldn’t rely on ddclient?

I was going to say that interestingly enough another machine with the exact same ddclient configuration doesn’t automatically see an ipv6 added; but I guess that’s probably due to it hitting the dedyn server over ipv4.

The sad thing is, I literally can’t find any way to configure ddclient to let me disable that with desec.

Maybe it’d make sense for dedyn to add a &noautodetermination=true or similar, that wouldn’t actually be part of the dyndns spec and thus should be passed through by any tools? Either that or I’m doing something stupid, but I’ve been trying to fix this for several months now and I’ve basically given up, only deleting the ipv6 manually whenever the ipv4 changes, which leads to a few hours/days of downtime each time.

Maybe I should just use raw curl, but it’d mean hitting the dedyn endpoints way more often because I would not implement things as well as ddclient does… :cry:

You may want to look at GitHub - jameskimmel/deSEC_DynDNS: DynDNS for deSEC.io

And I’m sure there are other solutions available that use curl without putting undue load on the deSEC servers.

1 Like

Yeah, please give it a try @Ekleog.
If something is unclear, or you need help with something, or something isn’t working, feel free to reach out here or open up a github issue.

You would be the first real user besides me to test this. So your feedback would be highly appreciated.

In your case you could simple disable IPv6 by setting CHECK_IPV6=false.
Although to be honest, I don’t see a reason on why you would want to disable IPv6.

I’m not convinced this is the right point to address this issue; it would imply that this change be made by all DNS operators that would like to support it.

A better solution would be to add a setting to ddclient so it does what you want. Have you tried a feature request there?

Stay secure,
Peter

1 Like

I’ll have a look at it next time I have cycles to spare on this, thank you!

As for why I’m disabling IPv6, my ISP’s box does not AFAIK allow me to redirect IPv6 ports to my machine inside the firewall, so the only choice I have is to only have an IPv4 endpoint.

I guess that makes sense, though TBH I have completely given up on figuring out anything about ddclient: I’ve found something like 2-3 repos with as many documentation spots, and basically all of them seem to not match my local ddclient. And that’s even before trying to figure out how to reach out to the developers :sweat_smile:

I guess I’ll try @KapernMagIchNicht’s solution and see how that goes, thank you for your comment about what’s reasonable or not! And worst case I’ll maybe just write my own dyndns client, after all I’m a big fan of RIIR, the only thing missing being time :sweat_smile:

For IPv4, you redirect traffic with NAT, which most of the time automatically creates the corresponding firewall rule.
For IPv6, you only need to create the firewall rules to the public IPv6.