EDNS0 CLIENT-SUBNET not working with GeoIP2
Summary
We updated one server (geons1) with bind 9.11.11 witch was build with GeoIPv1 to bind 9.11.11 with GeoIPv2. Our monitoring system use EDNS0 CLIENT-SUBNET extension for check right answers. These both servers use the same configuration. On a server with bind 9.11.11 + GeoIP2 stopped working EDNS0 CLIENT-SUBNET extension.
BIND version used
geons1# named -V
BIND 9.11.11 (Extended Support Version) <id:4ae9ff1>
running on FreeBSD amd64 11.3-RELEASE-p3 FreeBSD 11.3-RELEASE-p3 #0: Mon Aug 19 21:08:43 UTC 2019 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-gost=no' '--without-python' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--with-geoip2' '--without-gssapi' '--without-libidn2' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--without-lmdb' '--disable-native-pkcs11' '--disable-querytrace' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--with-openssl=/usr' '--enable-threads' '--with-tuning=large' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=clang' 'CFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-isystem /usr/local/include' 'CPP=clang-cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
compiled with OpenSSL version: OpenSSL 1.0.2o-freebsd 27 Mar 2018
linked to OpenSSL version: OpenSSL 1.0.2s-freebsd 28 May 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabledSteps to reproduce
Wrong case, bind use source IP, geons1 (bind911 with GeoIPv2, answer 127.0.0.100, view RUSSIA):
17-Oct-2019 15:10:20.151 client @0x802e71400 91.103.XX.XX#14982 (chk.geo.example.com): view RUSSIA: query: chk.geo.example.com IN A +E(0)K (4.53.XX.XX)
lvv@icinga:~ % dig chk.geo.example.com +subnet=80.239.174.1 @geons1
; <<>> DiG 9.14.6 <<>> chk.geo.example.com +subnet=80.239.174.1 @geons1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bfcd99141f0e8169e1a87dca5da859a11d53561203d948cb (good)
; CLIENT-SUBNET: 80.239.174.1/32/21
;; QUESTION SECTION:
;chk.geo.example.com. IN A
;; ANSWER SECTION:
chk.geo.example.com. 60 IN A 127.0.0.100Right case, bind use IP from CLIENT-SUBNET, geons6 (bind911 with GeoIPv1, answer 127.0.0.101, view EUROPE):
17-Oct-2019 15:14:14.579 client @0x802e71e00 91.103.XX.XX#38833 (chk.geo.example.com): view EUROPE: query: chk.geo.example.com IN A +E(0)K (130.117.XX.XX)
lvv@icinga:~ % dig chk.geo.example.com +subnet=80.239.174.1 @geons6
; <<>> DiG 9.14.6 <<>> chk.geo.example.com +subnet=80.239.174.1 @geons6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44312
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2f1fa0472b16ae834c16f3435da859b66f3a821891e5b404 (good)
; CLIENT-SUBNET: 80.239.174.1/32/24
;; QUESTION SECTION:
;chk.geo.example.com. IN A
;; ANSWER SECTION:
chk.geo.example.com. 60 IN A 127.0.0.101