Open drixter opened 2 years ago
micheldeking
commented
2 years ago This would be great feature. I have domains as slave in pdns. In master field in the Database there is a ipv4 number. When I do a pdnsutil check-zone manually there is no problem but when the pdns cron is run then the error "Unable to retrieve SOA for" is thrown.
I think because it is trying to check with ipv6 instead of ipv4 while the ipv4 ip is in the domain master field.
Habbie
commented
2 years ago This would be great feature.
The ticket is about recursor. Your note is about auth. If you want the same feature for auth, please make a new ticket with a careful description and a reason why it would be useful. Thanks!
dicksnippe
commented
1 year ago I would like this feature! The reasoning behind it is a bit convoluted, but has to do with how route53 (cloudfront) handles multivalue records (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-multivalue.html). It turns out that when route53 returns a smaller set of ip addresses from a bigger pool, it makes a difference whether the request to the route53 nameserver was done over IPv4 or IPv6. Example: $ for x in {1..100}; do dig @ns-160.awsdns-20.com. +short -4 -t aaaa d1ltz0yuqm6shb.cloudfront.net; done | sort -u >take1 $ for x in {1..100}; do dig @ns-160.awsdns-20.com. +short -6 -t aaaa d1ltz0yuqm6shb.cloudfront.net; done | sort -u >take2 $ wc -l take1 take2 128 take1 128 take2 256 total $ cmp take1 take2 take1 take2 differ: byte 13, line 1
So in order to have somewhat more control over what pdns-recursor gets to see when it has to resolve a cloudfront address it would be nice to be able to make pdns-recursor prefer ipv6 over ipv4 (or the other way around).
In our usecase this is relevant for a setup where a pdns master server uses a pdns-recursor instance to resolve its ALIAS records. When DNSSEC is enabled the pdns master has to run with outgoing-axfr-expand-alias=yes However, for this to work some scripting is needed to see if the target where an ALIAS record points to has changed (when it has, the script can force an increase-serial + zone transfer to let the slaves now about the new set of A/AAAA records behind the ALIAS record)
Since this does not play well with the route53 behaviour as explained above, I'd like to get the entire pool of adresses as used by route53 (by doing many requests say a hundred). And for that it would be advantageous to know in advance whether pdns-recursor is going to to its resolving over IPv4 or IPv6.
Ugh. Sorry for the convoluted mess :-)
drixter
commented
1 year ago Hi All,
Do you see chance to make it somehow implemented?
Thanks,
Short description
The request is to add addtional options for prefering or prioritize the used protocol for outgoing querier, IPv4 or IPv6 where both are available. Similar option what unbound has, quotes below:
prefer-ip4:
If enabled, prefer IPv4 transport for sending DNS queries to internet nameservers. Default is no. Useful if the IPv6 netblock the server has, the entire /64 of that is not owned by one operator and the reputation of the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that the upstream servers have.
prefer-ip6:
If enabled, prefer IPv6 transport for sending DNS queries to internet nameservers. Default is no.
Usecase
PDNS Recursor will try prefered version of protocol, if this fail or timeout fallback to next one but by default will try to use "prefer" protocol version.
Description
Why this could be needed: If case of CGNAT/NAT and so on, some people may have resolver on their homes. They may have public IPv6 address but IPv4 shared which could be limited on nameservers side. Another usage could be that IPv6 is available but has bad connectivity and user want to force IPv4 and keep IPv6 as failback.