Habbie
commented
2 weeks ago There's no GSS-TSIG qtype in DNS at all. If blocking TKEY does the job for you, I'm not sure there's any work left for us.
Closed tomwijnroks closed 1 week ago
Habbie
commented
2 weeks ago There's no GSS-TSIG qtype in DNS at all. If blocking TKEY does the job for you, I'm not sure there's any work left for us.
tomwijnroks
commented
2 weeks ago I was not really sure about this because the TSIG type also exists, which does not prevent these requests.
Thank you for your fast response, this issue can be closed.
patrickpoortman
commented
2 weeks ago https://github.com/PowerDNS/pdns/blob/98128bb78a44349504592ca6780ad0e4594293f9/pdns/tkey.cc#L74
Is the log level error correct for this case? As the function is not compiled. And anybody can trigger this message.
Habbie
commented
2 weeks ago And anybody can trigger this message.
Agreed, we should log it less, or make it optional.
rgacogne
commented
1 week ago I'm closing this issue since a different one has been opened for the log level, and as far as I can tell there is nothing left to do in dnsdist.
Short description
Add DNSQType for GSS-TSIG so these type of DNS requests can be refused in dnsdist to prevent unnecessary logging.
Usecase
Refuse GSS-TSIG requests to dnsdist when the GSS-TSIG feature was not compiled in PowerDNS. When GSS-TSIG was not compiled in PowerDNS every GSS-TSIG request logs the following message:
Description
It seems it is already possible to refuse these requests with
DNSQType.TKEY, so I'm not sure if a specificDNSQType.GSSTSIGtype is really necessary.I've also caputered some of these requests but the pcap contains sensitive data, which I'm not allowed to upload publicly. If this pcap file can help and there is a way to share it privately, please let me know.