+1, excited to see this one come through. On Fri, Jun 2, 2017 at 12:15 PM, Eric Friedrich (efriedri) < [email protected]> wrote:
> We are planning to add support for RFC7871 to Traffic Router. Here is a > brief description of the feature. Comments appreciated! > > Background > Clients do not make DNS requests directly to TR. Typically TR requests > come from DNS resolvers within the infrastructure. Today, Cache Group > selection for DNS Delivery Services is based on the IP address of the DNS > resolver making the request to TR. RFC7871 includes the client subnet in an > EDNS0 option within the DNS query. When the ECS OPT is present (and the > feature is enabled via a TR parameter), Traffic Router will use this IP in > place of the source IP of the DNS packet (the IP of the resolver). This IP > will be used in the CZF and maxmind lookups. > > Requirements > > 1. If DNS query includes ECS option in the Optional Record, Traffic > Router will use the IP address included in the ECS option as the client > address for Cache Group Selection > 2. If there are multiple ECS options in the Optional Record, the one > with the longest IP prefix - i.e. the ECS option with largest Source Net > Mask will be used > 3. If DNS query includes ECS Option, then DNS response from Traffic > Router will also include the ECS Option. In the response the Scope Net Mask > is set to be same as the Source Net Mask. This is required by RFC 7871 for > DNS caching to work properly. > 4. It is assumed that customers/operators will ensure that Source Net > Mask for a subnet specified in the ECS is at greater than or equal to the > net mask for the corresponding subnet entry in the CZF file. e.g. if ECS > Option has 192.168.10.0/8, then 192.168.0.0/16 in CZF will work, but > 192.168.10./28 will not work. > 5. Add a TR parameter to disable use of ECS field even when present > > Design > > To support this feature new logic will be added to NameServer.query() > function. The new logic will be responsible for parsing ECS option in the > OptionalRecord of the incoming DNS Request, and retrieving the Client IP > address and the associated Source Net Mask (Scope Net Mask must be 0 in the > incoming Request per RFC 7871). Please note that the underlying DNS library > xbill/dnsjava already has support for parsing the ECS Options. These > functions from the library will be leveraged. > > 1. Message.getOPT().getOptions(EDNSOption.Code.CLIENT_SUBNET) will > return list of ClientSubnetOption for the incoming Request (Message) > 2. ClientSubnetOption has public methods to retrieve netmask and Client > IP address: getSourceNetmask(), getAddress() > > If ECS option is present, then the IP address retrieved from the ECS > option, and will be passed as the Client IP address to the Traffic Router > (through getZone call) for CZF/geo lookup > > If ECS option is present, then ClientSubnetOption will be created and > included in the DNS response. In the Response the Scope Net Mask of the > ClientSubnetOption is set as the Source Net Mask > > Testing > We’ll test against all of the various CZF, National, Regional, VPN > Blocking features and will do our best to check with DNSSEC > > —Eric > > > > > >
