<div dir="ltr">Hi Larry, Yuri<div>After a few days of testing, I'm afraid that this branch is not ready for production use yet. First, just like Larry has pointed out, RTT value in ECS cache does not decrease.</div><div>Second, when a domain supports ECS partially, unbound may cache suboptimal results. For instance, <a href="http://www.qq.com">www.qq.com</a> supports ECS in China, i.e. all name servers of <a href="http://qq.com">qq.com</a> in China responses correctly when ECS is set in the query. But <a href="http://qq.com">qq.com</a> uses Akamai to deliver contents outside China. When unbound receives a query of <a href="http://www.qq.com">www.qq.com</a> with client=<a href="http://18.0.0.0/8">18.0.0.0/8</a>, the name server of <a href="http://qq.com">qq.com</a> will redirect this query to Akamai. As we all know, Akamai doesn's support ECS, so name server of Akamai will rerurn a resource record without ECS option. This record ends up in the ordinary cache of unbount! How did I find out this record is cached in the ordinary cache? Because the TTL value of this records does decrease!</div><div>So subsequent queries of <a href="http://qq.com">qq.com</a> without ECS option will be replied with an IP address in America! This may cause severe performance downgrade.</div><div>A more specific example:</div><div>dig @<a href="http://121.194.13.147">121.194.13.147</a> <a href="http://www.qq.com">www.qq.com</a><br></div><div><div>;; ANSWER SECTION:</div><div><a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>300<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>115.25.209.39 <= IP in Beijing China</div></div><div><br></div><div>./dig @<a href="http://121.194.13.147">121.194.13.147</a> <a href="http://www.qq.com">www.qq.com</a> +client=<a href="http://60.255.0.0/16">60.255.0.0/16</a><br></div><div><div>;; OPT PSEUDOSECTION:</div><div>; EDNS: version: 0, flags:; udp: 4096</div><div>; CLIENT-SUBNET: <a href="http://60.255.0.0/16/24">60.255.0.0/16/24</a></div><div>;; QUESTION SECTION:</div><div>;<a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>300<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>175.155.116.108 <= IP in another city of China</div></div><div><br></div><div>So far so good, now ask unbound with an IP address in America:</div><div><br></div><div>./dig @<a href="http://121.194.13.147">121.194.13.147</a> <a href="http://www.qq.com">www.qq.com</a> +client=<a href="http://18.0.0.0/8">18.0.0.0/8</a><br></div><div><div>;; OPT PSEUDOSECTION:</div><div>; EDNS: version: 0, flags:; udp: 4096</div><div>; CLIENT-SUBNET: <a href="http://18.0.0.0/8/0">18.0.0.0/8/0</a></div><div>;; QUESTION SECTION:</div><div>;<a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>299<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://qq.com.edgesuite.net">qq.com.edgesuite.net</a>.</div><div><a href="http://qq.com.edgesuite.net">qq.com.edgesuite.net</a>.<span class="" style="white-space:pre"> </span>21600<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.</div><div><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.<span class="" style="white-space:pre"> </span>20<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>23.201.102.40 <= Akamai's IP address</div><div><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.<span class="" style="white-space:pre"> </span>20<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>23.201.102.41</div></div><div><br></div><div>Now query unbound without ECS option:</div><div>./dig @<a href="http://121.194.13.147">121.194.13.147</a> <a href="http://www.qq.com">www.qq.com</a> <br></div><div><div>;; ANSWER SECTION:</div><div><a href="http://www.qq.com">www.qq.com</a>.<span class="" style="white-space:pre"> </span>292<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://qq.com.edgesuite.net">qq.com.edgesuite.net</a>.</div><div><a href="http://qq.com.edgesuite.net">qq.com.edgesuite.net</a>.<span class="" style="white-space:pre"> </span>21593<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>CNAME<span class="" style="white-space:pre"> </span><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.</div><div><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.<span class="" style="white-space:pre"> </span>13<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>23.201.102.40 <= Still Akamai's address!</div><div><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>.<span class="" style="white-space:pre"> </span>13<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>A<span class="" style="white-space:pre"> </span>23.201.102.41</div><div><br></div><div>;; Query time: 0 msec <= get result from cache</div></div><div><br></div><div>In this way, unbound stores a sub optimal record in the main cache, subsequent queries will all get this record. This is not acceptable because it will cause too much inter-continent traffic.</div><div>Since ECS is not a RFC yet, I assume partial support of ECS is quite common. Return sub optimal results to clients can cause serious performance problems. </div><div>IMHO, unbound should provide a way to config which domain should be stored in ECS cache. In this way, even some of the name servers of a domain do not support ECS, all the records of this domain will be stored in ECS cache. Records without ECS information will have a subnet of <a href="http://0.0.0.0/0">0.0.0.0/0</a>. The best choice can be determined by longest prefix match of client subnet.</div><div><br></div><div>Regards,</div><div>Kun</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 19, 2014 at 2:03 AM, Larry Havemann <span dir="ltr"><<a href="mailto:larry@edgecast.com" target="_blank">larry@edgecast.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Just a simple warning on using this branch, none of the issues detailed in this mailing list thread have been addressed: <a href="http://t28223.network-dns-unbound-user.dnstalk.us/edns-client-subnets-t28223.html" target="_blank">http://t28223.network-dns-unbound-user.dnstalk.us/edns-client-subnets-t28223.html</a><div><br></div><div>-Larry</div></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div>-Larry</div></div></font></span><div><div class="h5">
<br><div class="gmail_quote">On Thu, Dec 18, 2014 at 2:13 AM, Yuri Schaeffer <span dir="ltr"><<a href="mailto:yuri@nlnetlabs.nl" target="_blank">yuri@nlnetlabs.nl</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span><span>> very thanks. Do the unbound cache the result that contain<br>
> edns-client-subnet information?<br>
<br>
</span>Yes!<br>
It has an additional cache for ECS responses. For performance reasons<br>
lookups in this cache are only done when there are reasons to believe<br>
it is necessary. I.e. 1) When an answer is not found in the regular<br>
cache and the authority server is whitelisted. or 2) The client<br>
includes ECS option.<br>
<br>
//Yuri<br>
<span>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
</span>iEYEARECAAYFAlSSqLoACgkQI3PTR4mhaviDBgCgzrnSOCX0wggIdjF2WkCtDbiR<br>
WcUAn3zQ0WDD9lsonKs3XdB8PKmEmXjM<br>
=3o06<br>
<div><div>-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net" target="_blank">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
</div></div></blockquote></div></div></div></div>
<br>_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Kun YU<div>Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University, Beijing, 100084, China.</div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;line-height:23.799999237060547px">Mobile Phone:+86 13466535220</span><br><font color="#888888"><br></font></div></div></div>
</div>