Open opeter opened 7 years ago
In the dnsdist manual there is a topic on how to do AXFR and NOTIFY, where all this logic is moved to dnsdist and the authoritative server uses the trusted-notification-proxy
to accept NOTIFIES passed from dnsdist.
Would this suffice you use case?
If I remember correctly, @opeter knows about trusted-notification-proxy
and would like to have a similar setting for AXFR
, something like trusted-axfr-proxy
.
But that would just allowing the dnsdist IP for all AXFRs and do the ACL'ing with dnsdist, or am I missing anything here?
I'll let him explain, but I think the issue is updating the per-zone ACLs to allow dnsdist, whereas with trusted-axfr-proxy
it wouldn't need any adjusting.
Short description
We would like to use dnsdist in front of our pdns-auth servers. We have a lot of different per zone based ACLs in domainmetadata (ALLOW-AXFR-FROM) so we cannot use generic ACLs. Unfortunately, dnsdist clads the source IP with it's local own IP so the ACL breaks.
Usecase
We would like to have a way that the pdns-auth behind dnsdist can see the original source IP address.
Description
A patch that uses dnsdist edns-subnet-processing would fix the issue immediately but would also introduce some security issues : https://github.com/PowerDNS/pdns/pull/4854