In this case I use dnsdist (by PowerDNS) for load balancing and failover
-- requests are balanced between my internal bind9 servers, and if they
are all down queries go to public DNS directly to avoid a total outage.
The challenge here is that the source IP for all requests is now coming
from dnsdist.
They have an article here:
https://dnsdist.org/advanced/passing-source-address.html that mentions
the functionality supported in dnsdist, but there is no overlap with
bind9 -- well, there was apparently up to 9.14, but it's since been
removed. Bind is still able to parse (and present) the ECS to you, that
works great, but the plumbing into the acl is what is needed to serve up
a separate view by source client.
Being realistic, this is not a large deployment, if it's an edge case
then it is surely not worth anyone's time to add support back in.
Thank you again for the replies.
-Ryan
On 9/2/21 2:42 PM, Evan Hunt wrote:
On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote:
Thank you, in my searching I failed to come across that.
Do you know if it's been replaced by something more "practical to
deploy"? I found some discussion regarding support for "The PROXY
Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt)
but I don't believe it's planned. This seems like such a common
scenario, I'm surprised the support that was there was removed but not
replaced by anything. I suppose it is open-source software and I'm free
to port it into 9.16, but this isn't a big enough problem for me
personally to justify the time spent.
We do have support for recursive ECS processing in the special-sauce
version of BIND we charge money for, but there hasn't been enough demand
for support on the authoritiatve side to make it worth the development
effort so far. But I would encourage you to put in a feature request
with details about your use case, and we'll consider it in the future.
Unfortunately, the older auth support was terribly space-inefficient,
and also didn't comply with the RFC, so it kind of had to go.
I'm not sure which of the open-source auth servers currently have ECS
support. PowerDNS maybe? And a quick google search just suggested one
called gdnsd, which I hadn't heard of before.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
