[dnsdist] nsupdate passing through dnsdist gets dropped by pdns

Remi Gacogne remi.gacogne at powerdns.com
Wed Jan 6 21:49:16 UTC 2021

On 1/6/21 7:53 PM, Darac Marjal via dnsdist wrote:
>> It looks like it might be something EDNS related.  I can see, in
>> Wireshark, that the update is forwarded on with additional records. I've
>> attached a PCAP showing the update coming it and being forwarded on.
> And, if I turn off useClientSubnet in the server definition, it works 
> again. Looks like I need to do a bit more reading up about EDNS, then. 
> Thanks for the hint :)

Looking at your PCAP we can see that the UPDATE is TSIG-signed. 
Unfortunately adding EDNS Client Subnet adds a record which breaks the 
signature, and that's likely why the authoritative server rejects it.
We can't fix the signature on dnsdist's side, as it would require having 
the TSIG key and is quite out of scope for dnsdist anyway. Perhaps you 
could disable TSIG on the client side?

I'm afraid the authoritative server does not support any other option to 
pass the client source IP yet, like XPF or the Proxy Protocol.

Best regards,

Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210106/4c6f3b72/attachment.sig>

More information about the dnsdist mailing list