Hello Ray,
On 6 Jan 2017, at 23:02, Ray Bellis wrote:
On 06/01/2017 18:43, Wessels, Duane wrote:
The idea of "X-Forwarded-For" for DNS makes me nervous, but it is
probably inevitable.
It is of course quite similar to EDNS client subnet, except that
there is no masking and the client cannot opt-out. Might be worth
saying in your document why EDNS client subnet wouldn't work for this
purpose.
I believe that dnsdist / PowerDNS is already (ab)using the ECS option
for this purpose.
The intent in part is to provide a separate option so that "real" ECS
can pass unhindered. [ not that I think ECS is a good idea, but some
folks want it, c'est la vie ]
Indeed, dnsdist uses ECS to pass the actual client IP to the real
backend DNS server. And indeed, this gets confusing when there is also
‘real’ ECS. So thank you for writing this draft, it will be very
useful!
However, both in ECS, and now in XPF, we do not get client’s port
number. With increasing CGNAT deployment, this makes it impossible to
distinguish clients once a request has passed through a proxy, like
dnsdist or a TLS frontend.
Can you please consider adding a port number field?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
