[prev in list] [next in list] [prev in thread] [next in thread] 

List:       djbdns
Subject:    Re: tinydns location doesn't work with IPsec
From:       Jason Mader <jason () ncac ! gwu ! edu>
Date:       2008-03-31 20:35:50
Message-ID: alpine.OSX.1.10.0803311626210.36432 () Zrebz ! frnf ! tjh ! rqh
[Download RAW message or body]

On Mon, 31 Mar 2008, Emilio Perea wrote:

> On Mon, Mar 31, 2008 at 09:30:01AM -0400, Jason Mader wrote:
> > I've noticed that when using location on a record in tinydns that a client
> > with an ah transport IPsec connection to the DNS server (OpenBSD) the
> > client will get an NXDOMAIN even though the client IP address matches the
> > prefix.
> > 
> > Does anyone have a workaround for the bug?
> 
> I'm not sure what you are seeing is a tinydns bug.  What IP address does
> the tinydns log show the query as coming from?

[128.164.144.144]# dnsq a lab-color.lp.seas.gwu.edu 128.164.159.159

[128.164.159.159]# tail -f current | perl ~/tinydns-log.pl
@4000000047f148ed2c3a22cc 128.164.144.144:32738:13246 + a lab-color.lp.seas.gwu.edu

And the relevant configuration,
  %GW:128.164
  =lab-color.lp.seas.gwu.edu:172.16.2.1:::GW

If I've characterized this right, even when I do something such as,

  %GW:128.164
  %ex
  =lab-color.lp.seas.gwu.edu:172.16.2.1:::GW
  =lab-color.lp.seas.gwu.edu:172.16.2.2:::ex

DNS client host 128.164.144.144 (which has ah transport mode to
128.164.159.159) will get,

$ dnsq a lab-color.lp.seas.gwu.edu 128.164.159.159 
1 lab-color.lp.seas.gwu.edu:
95 bytes, 1+0+1+0 records, response, authoritative, nxdomain
query: 1 lab-color.lp.seas.gwu.edu
authority: seas.gwu.edu 2560 SOA a.ns.seas.gwu.edu hostmaster.seas.gwu.edu 1206995383 \
16384 2048 1048576 2560

Otherwise tinydns location works exactly as I expect from other hosts.

---Jason Mader, FHWA/NHTSA National Crash Analysis Center,
The George Washington University, VA Campus


[prev in list] [next in list] [prev in thread] [next in thread]