[dnsdist] nsupdate passing through dnsdist gets dropped by pdns

Darac Marjal mailinglist at darac.org.uk
Wed Jan 6 18:53:58 UTC 2021

On 06/01/2021 18:33, Darac Marjal via dnsdist wrote:
> On 06/01/2021 16:43, Remi Gacogne via dnsdist wrote:
>> Hi Darac,
>> On 1/6/21 5:35 PM, Darac Marjal via dnsdist wrote:
>>> Watching messages on the webserver, I can see that the "DNSOpcode.Update
>>> -> auth" rule is applied, but then the number of "Drops" on the auth
>>> server increments. On the pdns webmonitor "Remote hosts sending corrupt
>>> packets" also increments. After a few seconds, the nsupdate times out.
>>> Can anyone spot something I've done wrong, or suggest how I can go about
>>> debugging this further (I can't seem to figure out, for example, why
>>> pdns thinks the packet is corrupt).
>> This indeed suggests that dnsdist might be corrupting the packet
>> somehow, perhaps by adding the EDNS Client Subnet payload. Is there
>> any chance you could have a look at the packet sent from dnsdist to
>> the Authoritative Server, using for example tcpdump?
>> I am not aware of any issue of that type in 1.5.1 but we have had bugs
>> in that area before, so perhaps one remains?
> It looks like it might be something EDNS related.  I can see, in
> Wireshark, that the update is forwarded on with additional records. I've
> attached a PCAP showing the update coming it and being forwarded on.

And, if I turn off useClientSubnet in the server definition, it works
again. Looks like I need to do a bit more reading up about EDNS, then.
Thanks for the hint :)

>> Best regards,
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/39aa1f53/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/39aa1f53/attachment-0001.sig>

More information about the dnsdist mailing list