Access to TSIG key name

[tom1198]

• Program: dnsdist
• Issue type: Feature request

Short description

Allow access to TSIG data from DNSQuestion object

Having access to the TSIG key name for notify ops would be useful

Usecase

To be able to steer notify messages towards distinct pools based on a TSIG key name regex match

Description

dnsdist to make available this information so that it can be used for steering decisions.
No validation / verification desired, just access to the TSIG key name.

I did wonder if this would be in trailing data, however it appears not in initial testing.

Apologies if this is already present and i just did not spot it

Thanks

[Habbie]

I did wonder if this would be in trailing data, however it appears not in initial testing.

It would not be. I don't think we can currently do what you are asking for, indeed.

[tom1198]

Is this also missing from AXFR question too ?

Just trying to setup supermaster axfr between a slave and a master (single IP on each) and steering the notifications and AXFR to the appropriate instance.

Notify i can workaround as that can directly target a non standard port, however supermaster does not seem to support that, so steering on dnsdist (or a second IP address, which i am trying to resist) would seem a sensible approach.

If you have any alternative suggestions, please let me know.

Thanks

[Habbie]

Is this also missing from AXFR question too ?

There is no TSIG logic anywhere in dnsdist, as far as I know.

Notify i can workaround as that can directly target a non standard port, however supermaster does not seem to support that

That should work - you can get help with that via IRC or our mailing list. Details are at https://www.powerdns.com/opensource.html

[tom1198]

ok, thanks,
ill dig a bit deeper on supermaster with alternate ports as that would solve my immediate issues (and reach out to the mailing list if needed)

[franklouwers]

Somebody came to me with a different use case that would benefit from the ability to get access to the tsig key name:

"In Bind, I can send requests signed by TSIG key #1 to the internal view, and requests signed by TSIG key #2 to the external view. Is something like that possible with PowerDNS?"

[nwhisper2014]

Is there any work being done on this issue? I really need this functionality...

[Habbie]

Hello Roman, no work is being done on this. We'll consider patches if somebody sends them. Sorry!

[nwhisper2014]

Maybe there's an update on this topic? )
Without this function, it is impossible to implement a split zone with synchronization in the primary/secondary scheme

[nwhisper2014]

Is there any news about this feature? =)

[nwhisper2014]

Maybe you could add this feature? Please :)

[Habbie]

Hello, repeating this question is not useful. This ticket is milestoned "dnsdist-helpneeded", which means we think it's a fine idea, but do not currently plan to work on it. However, if somebody (you?) sends a PR, we will take that very seriously.