Why is nsd service listening on private IPv6 address?

Help with Setup/Upgrade
1

When running mailinabox command I get something like this:

Primary Hostname: mail.example.com
Public IP Address: 46.182.xxx.119
Public IPv6 Address: 2a02:xxx:15b::19
Private IPv6 Address: 2a02:xxx:15b:0:caf:e6ff:fea7:6959

Looking in nsd.conf file I can see that is listening on the private IPv6 address. Why is nsd service listening on private IPv6 address and not public IPv6 address? I have the public IPv6 address configured as IPv6 NS in my domains and so does mailinabox apply it. Bug?

2

To get DNS to answer external requests over IPv6 I need nsd service to listen on my IPv6 address configured in my DNS zone which in this case is the public IPv6 address.

Am using mailinabox v0.08.
I manually changed in ~/mailinabox/management/dns_update.py on line 504, col 66, from env.get("PRIVATE_IPV6" into env.get("PUBLIC_IPV6".

3

The rationale is that the IP address of the network interface may not be how the box is known on the public network — such as if it is behind a firewall or proxy. Machines on Amazon AWS, for instance, typically have a network interface bound to an AWS-only IP address. The network interface doesn’t know what IP address it appears as on the public internet.

The box needs to know both. The PRIVATE_IP addresses are to identify the network interfaces to bind to. We only use this for nsd though, to prevent it from clashing with the bind9 service on localhost providing local/recursive and secure (i.e. DNSSEC-enabled) DNS. [EDIT: We also use it now in postfix’s configuration so multi-homed machines send outbound mail from the IP address specified in the box’s SPF record, so that there’s no mismatch between the machine’s IP address as visible to the receiver and the IP address in the SPF record.]

The PUBLIC_IP addresses are for what to put in DNS A/AAAA records.

This logic works well for IPv4. My experience with IPv6 is much less so maybe I’m missing something there, but I expect the same sort of rationale would apply. The question is why binding to the interface’s address doesn’t let nsd get connections from the outside.

4

Alright Josh, I understand your meaning now with private and public ipv6 address.
The thing with IPv6 compared to IPv4 is that end-to-end communication is ones again possible. You will not see that many ISPs using private IPv6 series of addresses because it exist so many public IPv6 addresses.

  • ISP is announcing a /48 to the user
  • User has a router that is taking a /64 from the above /48 and announce it internally in the network.

That /64 is not private addresses put public ones. It is not like in the IPv4 world. Doing it in other ways is not according to recommendations about IPv6.

Conclusion… I see no point in having one private and one public IPv6 address.
So why do I have one? Well, the thing you call private IPv6 is the long version based on my MAC number on the network card that can change easily in a virtual machine. So I prefer setting a static IPv6 address like this. IPv6 is automatic applied in the operatingsystem from Router Advertisements (RA) sent from the ISP. See RA as dhcp in IPv4 world.

iface eth0 inet static
        address 46.xxx.200.119
        netmask 255.255.255.240
        gateway 46.xxx.200.115
        dns-nameservers 46.xxx.200.113 46.xxx.200.114
        up ip -6 addr add 2a02:xxx:15b::19/64 dev eth0