Deprecated DSCP support
Borja Marcos
borjam at sarenet.es
Thu Feb 29 09:34:42 UTC 2024
> On 29 Feb 2024, at 10:21, Petr Špaček <pspacek at isc.org> wrote:
>
> On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users wrote:
>> I am working on a product in Nokia, and we currently use BIND provided by Rocky Linux 8 with security patches. Recently the requirement came that we should upgrade to at least 9.16. During the testing of this version we realized that a feature we used, DSCP, has stopped working. Reading about the topic, we found the article about it non-operational in 9.16, and removal in 9.18.
>> We also saw the email on this mailing list, stating that "so far, nobody has noticed" it is missing. Well, we noticed it just now, and I would like to state that our product and most probably other telecom equipments using BIND would miss it greatly. As I read in that mail, there was an alternative plan which would re-implement this functionality. If it is feasible, please consider doing it. The alternative options, e.g. setting it via iptables cannot work in our use-case.
>
> Could you please explain why it's not possible?
>
> Maybe I'm naive, but something like
>
> iptables -t mangle -A ... -p udp --dport 53 -j DSCP --set-dscp-class ...
>
> seems like sensible approach to me, and actually in the right place of networking stack.
Actually I’ve sometimes done the same on FreeBSD using its internal firewall facility.
03000 setdscp cs7 ip from me to table(53)
But bear in mind that this is only guaranteed to work inside your network/ASN. It’s not unusual to scrub DSCP at the network border.
Borja.
More information about the bind-users
mailing list