pdns 4.9.1 not logging blocked TSIG update

[bjacquin]

• This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.

• I have read and understood the 'out in the open' support policy

• Program: Authoritative

• Issue type: Bug report

Short description

TSIG update flowing through dnsdist adding Client Subnet header are rejected when received by pdns 4.9.1 as dnsdist modifies packet, breaking TSIG update. Although pdns plainely ignore packet on UDP and break TCP connection in case of TCP request and does not log any information, even with loglevel=7 which does not allow easy and natural troubleshooting.

See #14512 for initial report.

Environment

• Operating system: Gentoo
• Software version: dnsdist 1.9.5, pdns 4.9.1.
• Software source: Operating system repository

Steps to reproduce

• dnsdist configuration:

setVerbose(true);

setACL({'0.0.0.0/0', '::/0'})

addLocal('0.0.0.0:53', {
  reusePort=true,
  tcpFastOpenQueueSize=512,
})

addLocal('[::]:53', {
  reusePort=true,
  tcpFastOpenQueueSize=512,
})

newServer({
  pool="authoritative",
  address='[::1]:29053',
  useClientSubnet=true,
  healthCheckMode='up'
})

addAction(
  AllRule(),
  PoolAction("authoritative")
)

• pdns configuration:

loglevel=7
log-dns-details=yes
log-dns-queries=yes

local-address=[::1]:29053

reuseport=yes
tcp-fast-open=1

launch=gmysql
gmysql-socket=/run/mysqld/mysqld.sock
gmysql-user=xxxx
gmysql-password=xxxx
gmysql-dbname=powerdns
gmysql-dnssec=yes

dnsupdate=yes

allow-dnsupdate-from=xxxx:xxxx:xxxx:xxxx::/64
edns-subnet-processing=yes

Expected behaviour

I would expect:

1. pdns to report why the request are being rejected
2. pdns to process the request

Actual behaviour

nsupdate -y ... times out on the client side.

Other information

• Setting edns-subnet-processing=true in pdns configuration does not affect the behaviour.

I have also made an analyziz comparing network level bytes from the client side and what is being received by pdns after dnsdist, there are not notable changes: DNS transaction ID and added client subnet header:

• DNS payload in hex format sent by the client:

0000   03 b0 28 00 00 01 00 00 00 01 00 01 09 70 61 6e
0010   74 73 2d 6f 66 66 03 78 79 7a 00 00 06 00 01 02
0020   78 78 c0 0c 00 01 00 01 00 00 00 0f 00 04 7f 00
0030   00 01 04 61 63 6d 65 00 00 fa 00 ff 00 00 00 00
0040   00 3d 0b 68 6d 61 63 2d 73 68 61 32 35 36 00 00
0050   00 66 9b a3 6a 01 2c 00 20 bb d2 36 32 cf 8d ca
0060   3c 6a c8 26 ea b8 58 5f ab 6f 19 9f 87 9f f9 4d
0070   da 28 92 78 a3 8a 46 c7 04 03 b0 00 00 00 00

• DNS payload in hex format received by the pdns:

0000   08 00 28 00 00 01 00 00 00 01 00 02 09 70 61 6e
0010   74 73 2d 6f 66 66 03 78 79 7a 00 00 06 00 01 02
0020   78 78 c0 0c 00 01 00 01 00 00 00 0f 00 04 7f 00
0030   00 01 04 61 63 6d 65 00 00 fa 00 ff 00 00 00 00
0040   00 3d 0b 68 6d 61 63 2d 73 68 61 32 35 36 00 00
0050   00 66 9b a3 6a 01 2c 00 20 bb d2 36 32 cf 8d ca
0060   3c 6a c8 26 ea b8 58 5f ab 6f 19 9f 87 9f f9 4d
0070   da 28 92 78 a3 8a 46 c7 04 03 b0 00 00 00 00 00
0080   00 29 02 00 00 00 00 00 00 0f 00 08 00 0b 00 02
0090   38 00 xx xx xx xx xx xx xx

• Diff between the two:

@@ -1,9 +1,11 @@
-0000   03 b0 28 00 00 01 00 00 00 01 00 01 09 70 61 6e
+0000   08 00 28 00 00 01 00 00 00 01 00 02 09 70 61 6e
 0010   74 73 2d 6f 66 66 03 78 79 7a 00 00 06 00 01 02
 0020   78 78 c0 0c 00 01 00 01 00 00 00 0f 00 04 7f 00
 0030   00 01 04 61 63 6d 65 00 00 fa 00 ff 00 00 00 00
 0040   00 3d 0b 68 6d 61 63 2d 73 68 61 32 35 36 00 00
 0050   00 66 9b a3 6a 01 2c 00 20 bb d2 36 32 cf 8d ca
 0060   3c 6a c8 26 ea b8 58 5f ab 6f 19 9f 87 9f f9 4d
-0070   da 28 92 78 a3 8a 46 c7 04 03 b0 00 00 00 00
+0070   da 28 92 78 a3 8a 46 c7 04 03 b0 00 00 00 00 00
+0080   00 29 02 00 00 00 00 00 00 0f 00 08 00 0b 00 02
+0090   38 00 xx xx xx xx xx xx xx