pdns icon indicating copy to clipboard operation
pdns copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

Feature request: Setting EDNS Client Subnet scopeMask in LUA records

Open mnordhoff opened this issue 5 years ago • 5 comments

  • Program: Authoritative
  • Issue type: Feature request

Short description

If EDNS Client Subnet processing is enabled, and a query using ECS comes in, LUA record responses currently copy the scope length from the query.

That's conservative, simple and more or less accurate, but it's unfortunate for the cache hit rate for records that don't make use of ECS -- or that make decisions based on a larger scope length than the incoming query (for example, IPv6 /48 instead of /56).

It would be useful to be able to set the response's scopeMask, to 0, or with more granularity.

Usecase

I'd like to be able to make use of ECS for some records, without affecting the cache hit ratio for records that don't do anything with it at all.

(I don't actually do geolocation, I just have some records like ahu's useful names.)

I can imagine that some people doing geolocation might like to tweak the scopeMask, but I dunno.

Description

I don't have any ideas for how to implement it that I love. I do have three ideas:

LUA records could support optionally returning two values, the record content, and either a boolean controlling whether to set scopeMask to 0 or the query's value, or an integer. E.g.:

www  LUA  AAAA ";return '2001:db8::1', false"
www  LUA  AAAA ";return '2001:db8::1', true"

www  LUA  AAAA ";return '2001:db8::1', 0"
www  LUA  AAAA ";return '2001:db8::1', 56"

(I don't know which one should be true and which one should be false.)

Alternatively, records could return a table.

Or for something completely different, there could be some sort of global setting or zone metadata.

I think the first idea is reasonably simple and intuitive, honestly. (To use. I don't know how easy it would be to implement.)

I think the code controlling the current situation is here:

https://github.com/PowerDNS/pdns/blob/d7382914f7e5bd4633c9d8e2739c1b22215ddbe0/pdns/packethandler.cc#L396

https://github.com/PowerDNS/pdns/blob/d7382914f7e5bd4633c9d8e2739c1b22215ddbe0/pdns/packethandler.cc#L1353

Habbie pointed out that the pipe and remote backends do support setting the scope length.

mnordhoff avatar Sep 12 '19 12:09 mnordhoff

In Recursor lua, we had setVariable() but today we have dq.variable=1 or something like it. The former (i.e. setECSScope(24) would work here; the latter form however seems unavoidable if we invent 3 more things we want to do in LUA :)

Habbie avatar Sep 12 '19 14:09 Habbie

If we consider the "view" function, it would be great if the authoritative server returned a "scope mask" equal to the mask of the condition the request fell under. For example (example view from the documentation): view.v4.powerdns.org IN LUA A ("view({ " "{ {'192.168.0.0/16'}, {'192.168.1.54'}}," "{ {'0.0.0.0/0'}, {'192.0.2.1'}} " " }) " ) For requests from the "192.168.0.0/16" network, form a response with "scopeMask = 16".

Is it possible to implement this improvement request in the near future?

brlumen avatar Mar 31 '21 04:03 brlumen

@brlumen hi, can you file that one separately? Thanks!

Habbie avatar Mar 31 '21 07:03 Habbie

@Habbie, Oh sure.

brlumen avatar Mar 31 '21 07:03 brlumen

That issue was filed as #10249

jsoref avatar Feb 03 '22 15:02 jsoref