[dnsdist] force backend lookup for specific query name

Lucas Rolff lucas at lucasrolff.com
Sat Jun 26 10:36:17 UTC 2021 

Thanks guys it works like charm!

I had to double escape in fact, like:
_acme-challenge\\..*

It results in an escape error if having a single backslash only!

@ Eldon,

Let's Encrypt cache things rather shortly (I think 5 minutes or so) regardless of the configured TTL of the TXT record.

In my specific case, I have some pre-validation that happens prior to even doing the actual verification on the Let's Encrypt side, meaning my own system will query the nameservers first, in some cases if one of the upstream servers are delayed with reloading, in some cases it means the dnsdist server ends up hitting the old entry; This is usually fixed within 1-5 seconds, but since packetcache would then cache the wrong result for up to 5 minutes, it would in some cases break the validation.

There's a lot of stuff going on in the backend DNS servers, some of which are not fully controllable, so that's why I wanted to fix it on the dnsdist side.

I went for the SetSkipCacheAction recommended by Remi, together with the action code from you, and I get the exact result I expect, so that's awesome!

Thanks once again __

Best Regards,
Lucas Rolff

On 26/06/2021, 11.42, "dnsdist on behalf of Remi Gacogne via dnsdist" <dnsdist-bounces at mailman.powerdns.com on behalf of dnsdist at mailman.powerdns.com> wrote:

    On 6/26/21 8:09 AM, Eldon Koyle via dnsdist wrote:
    >> Is there any “easy” way to basically disable the packetcache for
    >> specific query names (ideally wildcarding the domain part of it),
    >> so it always causes a query to the backend/upstream servers?
    >> 
    > 
    > I'm not sure if this is the best way, but you could create another 
    > pool (https://dnsdist.org/guides/serverpools.html) with the same 
    > upstream servers but without a packetcache, then add a rule like the 
    > following (this is untested):
    > 
    > addAction(RE2Rule("_acme-challenge\..*"),
    > PoolAction("uncached_pool"))
    > 

    Or use SkipCacheAction [1].

    [1]: https://dnsdist.org/rules-actions.html?#SetSkipCacheAction

    -- 
    Remi Gacogne
    PowerDNS.COM BV - https://www.powerdns.com/
    _______________________________________________
    dnsdist mailing list
    dnsdist at mailman.powerdns.com
    https://mailman.powerdns.com/mailman/listinfo/dnsdist

More information about the dnsdist mailing list