<div dir="ltr">In this case, it looks like the authority of <a href="http://www.qq.com">www.qq.com</a> does respond with ECS when it replies with the CNAME(US case).  It's only Akamai's authority which does not.<div><br></div><div>So why is <a href="http://www.qq.com">www.qq.com</a>. in the primary cache?  It seems like it should not be.  It does make sense that  <a href="http://qq.com.edgesuite.net">qq.com.edgesuite.net</a><span style="font-size:13px">.<span style="white-space:pre-wrap"> and </span></span><a href="http://a1574.b.akamai.net">a1574.b.akamai.net</a>. are in primary cache, but why would this effect the response for <a href="http://www.qq.com">www.qq.com</a>.?</div><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">Thanks,</span></div><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">Andy</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 5, 2015 at 4:32 PM, 余坤 <span dir="ltr"><<a href="mailto:yukun2005@gmail.com" target="_blank">yukun2005@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Just like send-client-subnet command in unbound.conf, I prefer to provide another option in the config file that compiles a white list for domains which enables ECS. All the records from the domains in the white list should be cached in ECS cache instead of the primary cache.<div><br></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Jan 6, 2015 at 2:16 AM, Larry Havemann <span dir="ltr"><<a href="mailto:larry@edgecast.com" target="_blank">larry@edgecast.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I think the best way to avoid getting non ecs answers when ecs is present would be to always pass the query to the ecs module.  Yes this would slow down non ecs queries, but would avoid the issue of returning a non ecs answer to an ecs query.  I think this should be acceptable to anyone who chooses to enable ECS.  </div><div class="gmail_extra"><span><font color="#888888"><br clear="all"><div><div>-Larry</div></div></font></span><div><div>
<br><div class="gmail_quote">On Tue, Dec 30, 2014 at 1:49 AM, Yuri Schaeffer <span dir="ltr"><<a href="mailto:yuri@nlnetlabs.nl" target="_blank">yuri@nlnetlabs.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>Hi Kun,<br>
<br>
Thank you for your feedback!<br>
<br>
Apart from the TTL issue it sounds like the software works as<br>
advertised. The authority server indicated lack of ECS support so we<br>
cache that information. This strategy greatly improves performance for<br>
all non-ECS domains. (Read: it will keep stock Unbound performance)<br>
Once the TTL expires the server is probed again.<br>
<br>
How do you propose Unbound should decide this information is a lie,<br>
sometimes...? Would you be willing to sacrifice performance for all<br>
non-ECS lookups greatly?<br>
<br>
Regards,<br>
Yuri<br>
<span><br>
On 12/24/2014 10:07 AM, 余坤 wrote:<br>
> Hi Larry, Yuri After a few days of testing, I'm afraid that this<br>
> branch is not ready for production use yet. First, just like Larry<br>
> has pointed out, RTT value in ECS cache does not decrease. Second,<br>
> when a domain supports ECS partially, unbound may cache suboptimal<br>
</span>> results. For instance, <a href="http://www.qq.com" target="_blank">www.qq.com</a> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>> supports ECS<br>
> in China, i.e. all name servers of <a href="http://qq.com" target="_blank">qq.com</a> <<a href="http://qq.com" target="_blank">http://qq.com</a>> in China<br>
<span>> responses correctly when ECS is set in the query. But <a href="http://qq.com" target="_blank">qq.com</a><br>
</span>> <<a href="http://qq.com" target="_blank">http://qq.com</a>> uses Akamai to deliver contents outside China.<br>
> When unbound receives a query of <a href="http://www.qq.com" target="_blank">www.qq.com</a> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>><br>
> with client=<a href="http://18.0.0.0/8" target="_blank">18.0.0.0/8</a> <<a href="http://18.0.0.0/8" target="_blank">http://18.0.0.0/8</a>>, the name server of<br>
> <a href="http://qq.com" target="_blank">qq.com</a> <<a href="http://qq.com" target="_blank">http://qq.com</a>> will redirect this query to Akamai. As we<br>
<span>> all know, Akamai doesn's support ECS, so name server of Akamai will<br>
> rerurn a resource record without ECS option. This record ends up in<br>
> the ordinary cache of unbount! How did I find out this record is<br>
> cached in the ordinary cache? Because the TTL value of this records<br>
</span>> does decrease! So subsequent queries of <a href="http://qq.com" target="_blank">qq.com</a> <<a href="http://qq.com" target="_blank">http://qq.com</a>><br>
<span>> without ECS option will be replied with an IP address in America!<br>
> This may cause severe performance downgrade. A more specific<br>
</span>> example: dig @<a href="http://121.194.13.147" target="_blank">121.194.13.147</a> <<a href="http://121.194.13.147" target="_blank">http://121.194.13.147</a>> <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>> ;; ANSWER SECTION: <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.300INA115.25.209.39  <= IP in Beijing China<br>
><br>
> ./dig @<a href="http://121.194.13.147" target="_blank">121.194.13.147</a> <<a href="http://121.194.13.147" target="_blank">http://121.194.13.147</a>> <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>> +client=<a href="http://60.255.0.0/16" target="_blank">60.255.0.0/16</a> <<a href="http://60.255.0.0/16" target="_blank">http://60.255.0.0/16</a>> ;;<br>
<span>> OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;<br>
</span>> CLIENT-SUBNET: <a href="http://60.255.0.0/16/24" target="_blank">60.255.0.0/16/24</a> <<a href="http://60.255.0.0/16/24" target="_blank">http://60.255.0.0/16/24</a>> ;;<br>
> QUESTION SECTION: ;<a href="http://www.qq.com" target="_blank">www.qq.com</a> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.INA<br>
><br>
> ;; ANSWER SECTION: <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.300INA175.155.116.108 <= IP in another city of<br>
<span>> China<br>
><br>
> So far so good, now ask unbound with an IP address in America:<br>
><br>
</span>> ./dig @<a href="http://121.194.13.147" target="_blank">121.194.13.147</a> <<a href="http://121.194.13.147" target="_blank">http://121.194.13.147</a>> <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>> +client=<a href="http://18.0.0.0/8" target="_blank">18.0.0.0/8</a> <<a href="http://18.0.0.0/8" target="_blank">http://18.0.0.0/8</a>> ;; OPT<br>
<span>> PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;<br>
</span>> CLIENT-SUBNET: <a href="http://18.0.0.0/8/0" target="_blank">18.0.0.0/8/0</a> <<a href="http://18.0.0.0/8/0" target="_blank">http://18.0.0.0/8/0</a>> ;; QUESTION<br>
> SECTION: ;<a href="http://www.qq.com" target="_blank">www.qq.com</a> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.INA<br>
><br>
> ;; ANSWER SECTION: <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.<a href="http://299INCNAMEqq.com.edgesuite.net" target="_blank">299INCNAMEqq.com.edgesuite.net</a><br>
> <<a href="http://qq.com.edgesuite.net" target="_blank">http://qq.com.edgesuite.net</a>>. <a href="http://qq.com.edgesuite.net" target="_blank">qq.com.edgesuite.net</a><br>
> <<a href="http://qq.com.edgesuite.net" target="_blank">http://qq.com.edgesuite.net</a>>.<a href="http://21600INCNAMEa1574.b.akamai.net" target="_blank">21600INCNAMEa1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>. <a href="http://a1574.b.akamai.net" target="_blank">a1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>.20INA23.201.102.40  <= Akamai's IP<br>
> address <a href="http://a1574.b.akamai.net" target="_blank">a1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>.20INA23.201.102.41<br>
<span>><br>
> Now query unbound without ECS option: ./dig @<a href="http://121.194.13.147" target="_blank">121.194.13.147</a><br>
</span>> <<a href="http://121.194.13.147" target="_blank">http://121.194.13.147</a>> <a href="http://www.qq.com" target="_blank">www.qq.com</a> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>> ;; ANSWER<br>
> SECTION: <a href="http://www.qq.com" target="_blank">www.qq.com</a><br>
> <<a href="http://www.qq.com" target="_blank">http://www.qq.com</a>>.<a href="http://292INCNAMEqq.com.edgesuite.net" target="_blank">292INCNAMEqq.com.edgesuite.net</a><br>
> <<a href="http://qq.com.edgesuite.net" target="_blank">http://qq.com.edgesuite.net</a>>. <a href="http://qq.com.edgesuite.net" target="_blank">qq.com.edgesuite.net</a><br>
> <<a href="http://qq.com.edgesuite.net" target="_blank">http://qq.com.edgesuite.net</a>>.<a href="http://21593INCNAMEa1574.b.akamai.net" target="_blank">21593INCNAMEa1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>. <a href="http://a1574.b.akamai.net" target="_blank">a1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>.13INA23.201.102.40  <= Still Akamai's<br>
> address! <a href="http://a1574.b.akamai.net" target="_blank">a1574.b.akamai.net</a><br>
> <<a href="http://a1574.b.akamai.net" target="_blank">http://a1574.b.akamai.net</a>>.13INA23.201.102.41<br>
<span>><br>
> ;; Query time: 0 msec <= get result from cache<br>
><br>
> In this way, unbound stores a sub optimal record in the main<br>
> cache, subsequent queries will all get this record. This is not<br>
> acceptable because it will cause too much inter-continent traffic.<br>
> Since ECS is not a RFC yet, I assume partial support of ECS is<br>
> quite common. Return sub optimal results to clients can cause<br>
> serious performance problems. IMHO, unbound should provide a way to<br>
> config which domain should be stored in ECS cache. In this way,<br>
> even some of the name servers of a domain do not support ECS, all<br>
> the records of this domain will be stored in ECS cache. Records<br>
> without ECS information will have a subnet of <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
</span>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>>. The best choice can be determined by longest<br>
<span>> prefix match of client subnet.<br>
><br>
> Regards, Kun<br>
</span><span>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
</span>iEYEARECAAYFAlSidTUACgkQI3PTR4mhavgQ/ACcDdjAFoKNGSfP4AwRxdjENcBx<br>
POsAn3z6QX+OgY0/iBajcc7YrvdhkwaB<br>
=K73M<br>
<div><div>-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net" target="_blank">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a></div></div></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net" target="_blank">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="">-- <br><div><div dir="ltr">Kun YU<div>Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University, Beijing, 100084, China.</div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;line-height:23.799999237060547px">Mobile Phone:<a href="tel:%2B86%2013466535220" value="+8613466535220" target="_blank">+86 13466535220</a></span><br><font color="#888888"><br></font></div></div></div>
</span></div>
<br>_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br></blockquote></div><br></div>