<div dir="ltr">If <a href="http://0.0.0.0/0">0.0.0.0/0</a> is not a good idea, how about setting the prefix length as max-client-subnet-ipv4 option?<div>According to unbound.conf manual,</div><div> max-client-subnet-ipv4: <number></div><div> Specifies the maximum prefix length of the client source address we are willing to expose to third parties for IPv4. Defaults to 24.</div><div><br></div><div>Since this is the default prefix length exposed to the DNS server that supports ECS, the records returned by the DNS server must be optimal for the prefix with a length set by max-client-subnet-ipv4/6.</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 8, 2015 at 6:23 AM, Yuri Schaeffer <span dir="ltr"><<a href="mailto:yuri@nlnetlabs.nl" target="_blank">yuri@nlnetlabs.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span><span class="">On 01/06/2015 07:32 PM, Over Dexia wrote:<br>
> But I believe that would be mitigated by storing the no-ecs<br>
> response with a source <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> (like Kun YU proposed) in the<br>
> subnet cache. If all queries for that domain use this cache, the<br>
> reply should be like intended.<br>
<br>
</span>Think about what having a scope netmask of 0 means:<br>
"The most specific answer available for your source IP has the first<br>
0 bits in common with the address 0.0.0.0"<br>
<br>
Thus any query will match this cache entry. Which will result in the<br>
same behaviour as the current implementation.<br>
<br>
//Yuri<br>
<span class="">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
</span>iEYEARECAAYFAlStsfQACgkQI3PTR4mhavjOlACeLaRnZA849R3ZbZcRZcNY45dg<br>
5uYAnAzrQzv7SsX6a44y/YM032KGk3Lm<br>
=T1fI<br>
-----END PGP SIGNATURE-----<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Kun YU<div>Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University, Beijing, 100084, China.</div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;line-height:23.799999237060547px">Mobile Phone:+86 13466535220</span><br><font color="#888888"><br></font></div></div></div>
</div>