EDNS key tag for triggering forwarding
Some BIND users, specifically enterprise users, want to forward a subset of their queries to a specialized resolver. The primary purpose is to enable some additional proprietary filtering policy that is enforced on the specialized resolver. This policy may be updated frequently, and therefore it is preferable that the BIND server not cache these responses, but always forward queries that have this key tag.
Requests that we have seen include forwarding queries from users in specific departments that may have different security requirements.
Currently, you can configure BIND to either forward globally or you create "forward zones" (which aren't really zones at all but only look that way in the configuration) to forward specific domains - and all subdomains that don't have local configuration overriding the forwarding. What we would like is to add a DNS extension (EDNS additional information) on individual queries to direct the BIND resolver to forward those queries. This would have to work along side the existing more general forward zones.
- Design some additional EDNS option (does not need to be standardized)
- Add a configuration option to BIND to set up a list of EDNS options with associated forwarding instructions. (tags A, B & C -> forward to server 23, tags D & E, forward to server 24)
- When BIND receives a query with this EDNS option, check for the presence of a forwarding rule associated with that option. If there isn't one, ignore the option.
- Ideally, we would like the BIND resolver that gets the query with the EDNS option to forward the query and not cache the response.
- Of course, the EDNS option should be backwards compatible, so a BIND server that isn't configured for or doesn't support this option should be unaffected.
- As Brian has added below, DNSMASQ already is adding some EDNS options to identify CPE, subnets, or MAC addresses. In an enterprise use case, can't rely on DNSMASQ to be present, so .... we need to also add the corresponding feature to BIND to ADD this EDNS option on some queries. We need more user feedback about how to do this markup - does an individual BIND server just put the same key tag on every query it is resolving?
- Assuming it would be a big project to forward without also caching the responses, we need to consider the issues and effort in creating and maintaining such a 'simple forwarder' feature.
Links / references
Related feature request for using EDNS option for selecting a filtering policy: #825