[dnsdist] nsupdate passing through dnsdist gets dropped by pdns
Remi Gacogne
remi.gacogne at powerdns.com
Wed Jan 6 21:49:16 UTC 2021
On 1/6/21 7:53 PM, Darac Marjal via dnsdist wrote:
>> It looks like it might be something EDNS related. I can see, in
>> Wireshark, that the update is forwarded on with additional records. I've
>> attached a PCAP showing the update coming it and being forwarded on.
>
>
> And, if I turn off useClientSubnet in the server definition, it works
> again. Looks like I need to do a bit more reading up about EDNS, then.
> Thanks for the hint :)
Looking at your PCAP we can see that the UPDATE is TSIG-signed.
Unfortunately adding EDNS Client Subnet adds a record which breaks the
signature, and that's likely why the authoritative server rejects it.
We can't fix the signature on dnsdist's side, as it would require having
the TSIG key and is quite out of scope for dnsdist anyway. Perhaps you
could disable TSIG on the client side?
I'm afraid the authoritative server does not support any other option to
pass the client source IP yet, like XPF or the Proxy Protocol.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/4c6f3b72/attachment.sig>
More information about the dnsdist
mailing list