search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 909 forks source link

dnsdist: Add method for checking if query is TSIG signed #7360

Open cmouse opened 5 years ago

cmouse commented 5 years ago

Short description

When doing a TSIG signed DNS update, nsupdate first sends a SOA? TSIG query, which it expects to receive a SOA TSIG response. It is not possible currently to forward these queries to auth server directly.

Usecase

DNS operator, or some automation, would like to update DNS records using TSIG signature.

Description

dndist should provide a way to forward TSIG signed queries to a particular pool. Optionally, it should allow matching TSIG key names when deciding.

rgacogne commented 5 years ago

Have you considered using RecordsTypeCountRule() 1?

cmouse commented 5 years ago

I have not, how would that work?

rgacogne commented 5 years ago

I have not tested but I believe you could use that rule to select queries that have a TSIG record in the additional section, and route them to a different pool.

cmouse commented 5 years ago

It seems to work partially, but there is no way to match the TSIG key name.

Also, there is no dnsdist.TSIG, although this is a cosmetic issue

rgacogne commented 5 years ago

Sure, that would require actually parsing the TSIG record, which I really would like to avoid.