Spurred on by Warren's announcement of a Docker image that uses NGINX to proxy TLS connections into DNS servers that don't natively support TLS, I've just written up this short draft describing an EDNS0 option that allows smart proxies to tell the backend server what the original client IP address was.
The master doc is at https://github.com/raybellis/draft-bellis-dnsop-xpf Ray -------- Forwarded Message -------- Subject: New Version Notification for draft-bellis-dnsop-xpf-00.txt Date: Fri, 06 Jan 2017 06:18:40 -0800 From: internet-dra...@ietf.org To: Ray Bellis <r...@isc.org> A new version of I-D, draft-bellis-dnsop-xpf-00.txt has been successfully submitted by Ray Bellis and posted to the IETF repository. Name: draft-bellis-dnsop-xpf Revision: 00 Title: EDNS X-Proxied-For Document date: 2017-01-06 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/internet-drafts/draft-bellis-dnsop-xpf-00.txt Status: https://datatracker.ietf.org/doc/draft-bellis-dnsop-xpf/ Htmlized: https://tools.ietf.org/html/draft-bellis-dnsop-xpf-00 Abstract: It is becoming more commonplace to install front end proxy devices in front of DNS servers to provide (for example) load balancing or to perform transport layer conversions. This document defines an option within the EDNS(0) Extension Mechanism for DNS that allows a DNS server to receive the original client source IP address when supplied by trusted proxies. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
