Maintained by: NLnet Labs

[Unbound-users] Source address selection for replies

Wouter Wijngaards
Fri Jan 11 15:39:03 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alexander,

Thanks for the reply. You are completely correct.

The problem is what interfaces to bind to. 0.0.0.0 is everything and
thus good on a 'normal' setup. When the kernel makes bad routing
decisions (I know, anycast configuration is hell), this gives wrong
source address on replies, and DNS requires it. Really, the kernel
should make good routing decisions, but anyway.

Unbound does not know what interfaces you have. There is no nice posix
'list of interfaces', as far as I know. So, the problem for me is a
portability, "0.0.0.0" is very portable. Listing the interfaces is hard
and likely to encounter portability problems.

With some ioctl and fun, I could probably support *BSD, Linux, Solaris
for such a feature. The feature might not be available on other
platforms (if the ioctl doesn't work). Something like 'probe_interfaces:
yes', except with a better name?

Best regards,
~   Wouter

Alexander Gall wrote:
| Hello Wouter
|
| In my anycast setup for our DNS cache, I use addresses configured on
| loopback interfaces of the hosts (the addresses are announced to the
| IGP as host routes).  I also prefer to let unbound listen on all
| interfaces by specifying
|
|         interface: 0.0.0.0
|         interface: ::
|
| in the configuration file.  The main reason is that the instances on
| different hosts are easier to maintain if the configuration doesn't
| contain explicit addresses (we presently use two distinct anycast
| address both for IPv4 and IPv6).
|
| With this setup, when unbound receives a query on the loopback
| interface, it sends the reply with a source address of one of the
| physical interfaces of the host.  In other words, it appears that
| unbound lets the kernel chose the source address, which is always
| wrong in this case.
|
| There is a simple workaround by using this configuration instead:
|
|         interface: 127.0.0.1
|         interface: ::1
|         interface: 130.59.31.246
|         interface: 2001:620:0:ff::6
|
| However, since DNS clients expect replies to come from the same
| address to which the query was sent, I'd expect unbound to *always*
| request a specific address for replies from the kernel.  I'm wondering
| why unbound doesn't enforce this?
|
| In case I'm overlooking something here and this is in fact a useful
| feature, I'd ask for a configuration option that allows me to force
| source address selection for query replies to always match the
| destination address in the query.  That would allow me to keep the
| simpler configuration mentioned above.
|
| Regards,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHh3+HkDLqNwOhpPgRAh1mAKC3l2lwA4F5P5SUAeuGFcLJPdKadwCfRtVj
QBiYRBytNw3EVtb+u+M8vhg=
=e7ya
-----END PGP SIGNATURE-----