dnsdist in front of pdns-auth: SourceIP in AXFR request and NOTIFY

[opeter]

• Program: Authoritative and dnsdist
• Issue type: Feature request

Short description

We would like to use dnsdist in front of our pdns-auth servers. We have a lot of different per zone based ACLs in domainmetadata (ALLOW-AXFR-FROM) so we cannot use generic ACLs. Unfortunately, dnsdist clads the source IP with it's local own IP so the ACL breaks.

Usecase

We would like to have a way that the pdns-auth behind dnsdist can see the original source IP address.

Description

A patch that uses dnsdist edns-subnet-processing would fix the issue immediately but would also introduce some security issues : https://github.com/PowerDNS/pdns/pull/4854

[pieterlexis]

In the dnsdist manual there is a topic on how to do AXFR and NOTIFY, where all this logic is moved to dnsdist and the authoritative server uses the trusted-notification-proxy to accept NOTIFIES passed from dnsdist.

Would this suffice you use case?

[rgacogne]

If I remember correctly, @opeter knows about trusted-notification-proxy and would like to have a similar setting for AXFR, something like trusted-axfr-proxy.

[pieterlexis]

But that would just allowing the dnsdist IP for all AXFRs and do the ACL'ing with dnsdist, or am I missing anything here?

[rgacogne]

I'll let him explain, but I think the issue is updating the per-zone ACLs to allow dnsdist, whereas with trusted-axfr-proxy it wouldn't need any adjusting.