[Pdns-users] pdns-recursor behavior for edns client-subnet option

[Nejedlo, Mark]

I'm hoping I can get some behavior questions clarified regarding how PowerDNS recursor handles EDNS client-subnet requests/responses.  We're looking at sending ECS to Akamai, and they have very specific requirements for how the resolver behaves.

First, if the client sends a request to pdns-recursor that includes ECS data, they want to be assured that the client subnet sent to Akamai's authoritative server is the actual client IP/subnet as seen by pdns and not the IP/subnet from the client's ECS data.  I think that "use-incoming-edns-subnet" defaulting to "no" covers this case, but wanted to verify that having dnsdist in front of pdns-recursor, using the proxy protocol to pass requests, did not cause pdns-recursor to honor the forwarded ECS data.

The second question is regarding how the response is formulated.  Akamai wants to be assured that the scope and mask in Akamai's response is not passed back to the end user.  I did not see a clear answer one way or the other in the pdns documentation, so I wanted to verify that this is what pdns-recursor does.

If there are specific options to pdns-recursor and/or dnsdist that are needed to achieve this behavior, that would be appreciated as well.

Thanks,
Mark

--
XML combines the efficiency of text files with the readability of binary files

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230412/4c5c7be5/attachment.htm>