> On 29 Feb 2024, at 10:21, Petr Špaček <pspa...@isc.org> wrote:
> 
> On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users wrote:
>> I am working on a product in Nokia, and we currently use BIND provided by 
>> Rocky Linux 8 with security patches. Recently the requirement came that we 
>> should upgrade to at least 9.16. During the testing of this version we 
>> realized that a feature we used, DSCP, has stopped working. Reading about 
>> the topic, we found the article about it non-operational in 9.16, and 
>> removal in 9.18.
>>  We also saw the email on this mailing list, stating that "so far, nobody 
>> has noticed" it is missing. Well, we noticed it just now, and I would like 
>> to state that our product and most probably other telecom equipments using 
>> BIND would miss it greatly. As I read in that mail, there was an alternative 
>> plan which would re-implement this functionality. If it is feasible, please 
>> consider doing it. The alternative options, e.g. setting it via iptables 
>> cannot work in our use-case.
> 
> Could you please explain why it's not possible?
> 
> Maybe I'm naive, but something like
> 
> iptables -t mangle -A ... -p udp --dport 53 -j DSCP --set-dscp-class ...
> 
> seems like sensible approach to me, and actually in the right place of 
> networking stack.

Actually I’ve sometimes done the same on FreeBSD using its internal firewall 
facility. 

        03000 setdscp cs7 ip from me to table(53)

But bear in mind that this is only guaranteed to work inside your network/ASN. 
It’s not unusual to scrub DSCP at the network border.





Borja.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to