Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-105367

enable A/AAAA filtering in dnsmasq

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.6.z
    • None
    • dnsmasq
    • None
    • dnsmasq-2.85-17.el9_6
    • None
    • 1
    • rhel-net-perf
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • N&P-25_6
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Problem Description:
      Current Red Hat Enterprise Linux 9.6 (and consequently, Red Hat CoreOS versions 4.19/4.20) ship with dnsmasq version 2.85. This version lacks critical DNS filtering features, specifically filter-A and filter-AAAA, which were introduced in dnsmasq 2.87.

      Impact and Business Justification:
      The absence of dnsmasq 2.87+ (and thus the filter-A/filter-AAAA capabilities) is a fundamental blocker for enabling a robust Disaster Recovery (DR) solution with StarLink, particularly for customers deploying Single Node OpenShift (SNO) clusters.

      In a disaster scenario, a customer's SNO cluster's primary network connection typically operating over IPv6 needs to dynamically switch to a StarLink connection, which is primarily IPv4. To effectively manage this transition and control the IP family used for external communication from dual-stack pods within these customer SNO environments, the proposed solution relies on:

      • Maintaining a dual-stack OpenShift cluster.
      • Dynamically controlling the IP family preference for external outbound traffic by filtering A (IPv4) or AAAA (IPv6) responses at the dnsmasq instance running on the SNO node.

      Without filter-A and filter-AAAA, dnsmasq cannot reliably perform this essential filtering, which would lead to:

      • IPv6 preference issues (timeouts/delays) when external connectivity is IPv4-only.
      • Application errors and degraded service during DR events for customer SNO deployments.
      • Inability to deliver a robust and automated IP family failover mechanism for these customers.

      Request:
      We urgently request an upgrade of the dnsmasq package to version 2.86 or newer (preferably the latest stable version like 2.89+) in upcoming RHEL 9.x releases and, consequently, in future Red Hat CoreOS versions (starting from 4.19/4.20 or subsequent point releases) to support critical customer SNO-based disaster recovery solutions.

      References:

              pemensik@redhat.com Petr Mensik
              alkaplan@redhat.com Alona Paz
              Petr Mensik Petr Mensik
              Petr Sklenar Petr Sklenar
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: