Hi All, We are currently studying to develop a DNS messages load balancer (into haproxy core)
After a global pass on RFCs (DNS, DNS over TCP, eDNS, DNSsec ...) we noticed that practices on DNS have largely evolved since stone age. Since the last brainstorm meeting I had with Baptiste Assmann and Willy Tarreau, we were attempted to make some assumptions and choices and we want to submit them to community to have your thoughts. Reading RFCs, I notice multiple fallback cases (if server not support eEDNS we should retry request without eDNS or if response is truncated we should retry over TCP) which could clearly make the project really difficult to implement and sub optimal on performances point of view. So we decide to make the assumption that nowadays, all modern DNS servers support both TCP (and pipelined requests as defined in rfc 7766) and eDNS. In this case the DNS loadbalancer will forward messages received from clients in UDP or TCP (supporting eDNS or not) to server via pipelined TCP conn. We are requesting the community and experienced users of DNS servers to share their thoughts about this. In addition, I had a more technical question: eDNS first purpose is clearly to bypass the 512 bytes limitation of standard DNS over UDP, but I did'nt find details about usage of eDNS over TCP which seems mandatory if we want to perform DNSsec (since DNSsec exloit some eDNS pseudo-header fields). The main question is how to handle the payload size field of the eDNS pseudo header if messages are exchanged over TCP. Finally, all others advice or thoughts about DNS loadbalancing in Haproxy are also welcome. R, Emeric