[dnsdist] nsupdate passing through dnsdist gets dropped by pdns

Darac Marjal mailinglist at darac.org.uk
Wed Jan 6 18:33:33 UTC 2021

On 06/01/2021 16:43, Remi Gacogne via dnsdist wrote:
> Hi Darac,
> On 1/6/21 5:35 PM, Darac Marjal via dnsdist wrote:
>> Watching messages on the webserver, I can see that the "DNSOpcode.Update
>> -> auth" rule is applied, but then the number of "Drops" on the auth
>> server increments. On the pdns webmonitor "Remote hosts sending corrupt
>> packets" also increments. After a few seconds, the nsupdate times out.
>> Can anyone spot something I've done wrong, or suggest how I can go about
>> debugging this further (I can't seem to figure out, for example, why
>> pdns thinks the packet is corrupt).
> This indeed suggests that dnsdist might be corrupting the packet
> somehow, perhaps by adding the EDNS Client Subnet payload. Is there
> any chance you could have a look at the packet sent from dnsdist to
> the Authoritative Server, using for example tcpdump?
> I am not aware of any issue of that type in 1.5.1 but we have had bugs
> in that area before, so perhaps one remains?

It looks like it might be something EDNS related.  I can see, in
Wireshark, that the update is forwarded on with additional records. I've
attached a PCAP showing the update coming it and being forwarded on.

> Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: remy_nsupdate.pcap
Type: application/vnd.tcpdump.pcap
Size: 4340 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/4b9b7e88/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/4b9b7e88/attachment.sig>

More information about the dnsdist mailing list