[dnsdist] [EXT] Re: First alpha release of dnsdist 1.5.0

Fredrik Pettai pettai at sunet.se
Mon Mar 23 09:02:26 UTC 2020


Hi Remi,

> On 23 Mar 2020, at 09:41, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> 
> Signed PGP part
> Hi Frederikn
> 
> On 3/21/20 2:16 PM, Frederik Pettai wrote:
>>> On 20 Mar 2020, at 14:32, Remi Gacogne via dnsdist
>>> <dnsdist at mailman.powerdns.com> wrote:
>>> 
>>> […] The most exciting new feature is the implementation of the
>>> Proxy Protocol between dnsdist and its backends. Aimed to replace
>>> the use of EDNS Client Subnet and our own XPF, the Proxy Protocol
>>> is an existing standard where a small header is prepended to the
>>> query, passing not only the source and destination addresses and
>>> ports along to the backend, but also custom values. Support for
>>> parsing the Proxy Protocol is already available in the development
>>> tree of the PowerDNS Recursor.
>> 
>> From the text above, It’s not clear what the supported scope is, but
>> I interpret that it’s supported for all DNS services.
> 
> It is supported for UDP and TCP communications between dnsdist and its
> backend.
> 
>> This existing standard that text is referring to, which one is it?
>> The Github pull request (https://github.com/PowerDNS/pdns/pull/8874)
>> in the release notes for this work doesn’t reference that either.
>> Only IETF dns proxy search results that I found was on XPF
>> (https://tools.ietf.org/id/draft-bellis-dnsop-xpf-02.html) which the
>> text above says is going to be replaced...
>> 
>> But going back to previous work on Github, this reference comes up:
>> https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt
> 
> That's the one. It's also documented there [1], although I now realize
> that I have not documented that we support only the binary (v2) version,
> not the plain-text one. I'll update the documentation.
> 
>> Have you or anyone else been discussing support for this with other
>> DNS software vendors too? If yes, was the reactions good? (Good like
>> "we’re going to consider adopting that too” ?)
> 
> Yes, we discussed that we other DNS software vendors and the feedback
> was positive, in the sense that it is a better solution than every other
> ones we considered. We can't promise that they will implement it, but
> they are certainly considering it.

Yes, it’s up to them of course…

Thanks for clarifying all of the above :)

> [1]: https://dnsdist.org/advanced/proxyprotocol.html


Btw, while looking over the documentation, perhaps you could add an relevant
example of usage of :setRCodeRatio (1.5.0 update) here too:
https://dnsdist.org/guides/dynblocks.html

Re,
/P





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200323/4e089434/attachment.sig>


More information about the dnsdist mailing list