[dns-operations] EDNS client subnet authoritative server implementation

Stefan Schmidt zaphodb at zaphods.net
Fri Feb 9 14:26:21 UTC 2018

On 2018-02-09 03:53, John Kristoff wrote:
> Friends,

Hi John,

> I'm interested in utilizing a DNS authoritative server implementation
> that provides at least some support for the EDNS client subnet option
> (IETF RFC 7871).
> For now I just need an implementation that will signal to Google
> resolvers that it supports the feature without too much effort on my
> part if that is possible. Ideally I'd also like the software to be able
> to log the received client subnet values along with the other
> traditional query detail (e.g. query address, name, class).
> BIND seems to do at least the logging part, but I'm not sure if they
> will be compatible with Google.  In a recent ARM they have this note:
>   The authoritative ECS implementation in named is based on an early
>   version of the specification, and is known to have incompatibilities
>   with other implementations.
> This sounds like it might not work for me.  Anyone know differently?

It might just be the EDNS0 Option Code value, IIRC the Google and 
OpenDNS used a preliminary option code.
PowerDNS Authoritative Server switched over to the IANA assigned one [1] 
in version 3.4.0.

> It looks like this might be available in PowerDNS, but maybe only with
> the pipe back end, which may work fine in my case.  Has anyone used
> PowerDNS for auth edns client subnet handling and can confirm or show 
> an
> example config/pipe/setup that gets them client subnet data from Google
> resolvers?

I can confirm it is really easy to implement with the PowerDNS pipe 
backend and that it has been working very well for me.
PowerDNS takes care of all the processing and you just need to use 
pipebackend ABI version 3 [2] populating the scopebits and auth values 
for each backend response.
A simple ABI example backend can be found at [3] where $ednsip will be 
the netmask you get from the recursive server.

pipe-backendname-timeout=1000 #in ms

➜  ~ dig @ any bl.wavecdn.net
bl.wavecdn.net.		59	IN	TXT	"your IPv4:"

As PowerDNS Recursor and dnsdist also support EDNS Client Subnet you 
don't even have to rely on Google for testing and i should mention that 
dig now sports the +subnet (formerly +client) flag allowing you to 
manually query the auth server for its response to that "variable".

best wishes,



More information about the dns-operations mailing list