Dear dnsdist-ers, Hope this email finds you in good health! Please see my comments below, inline...
Le mardi 7 juin 2022, Adrian Kägi via dnsdist <dnsdist@mailman.powerdns.com> a écrit : > Hi > Maybe i did not understand correct, > Hi Adrian, Thanks for your email, brother. > > > but the AXFR zone transfer from primary to secondary should not be routed > via DNSdist. > Exactly! it *should not*...see below, please: <paste1> "AXFR, IXFR and NOTIFY¶ When dnsdist is deployed in front of a primary authoritative server, it might receive AXFR or IXFR queries destined to this primary. There are two issues that can arise in this kind of setup: • If the primary is part of a pool of servers, the first SOA query can be directed by dnsdist to a different server than the following AXFR/IXFR one, which might fail if the servers are not perfectly synchronised. • If the primary only allows AXFR/IXFR based on the source address of the requestor, it might be confused by the fact that the source address will be the one from the dnsdist server." </paste1> https://dnsdist.org/advanced/axfr.html#:~:text=AXFR%2C%20IXFR%20and,the%20dnsdist%20server. > > from my point of view, makes no sense. > > ...imho! it's not that it *must not* be routed through dnsdist. Maybe you should see if you want to do the implement following two solutions: <paste2> " • The first issue can be solved by routing SOA, AXFR and IXFR requests explicitly to the primary: <code1>newServer({address="192.168.1.2", name="primary", pool={"primary", "otherpool"}}) addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("primary"))<code1> • The second one might require allowing AXFR/IXFR from the dnsdist source address and moving the source address check to dnsdist’s side: <code2>addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("192.168.1.0/24"))}), RCodeAction(DNSRCode.REFUSED))</code2> " </paste2> https://dnsdist.org/advanced/axfr.html#:~:text=The%20first%20issue,.REFUSED)) Hope this helps! Shalom, --sb. > > > Cheers > > > On Tue. 7. June 2022 10:02 CEST, Lucas Rolff via dnsdist < > dnsdist@mailman.powerdns.com> wrote: > > > [...] > > -- Best Regards ! __ baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure> Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ #LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!» #MaPrière est que tu naisses de nouveau. #Chrétiennement «Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
