[Unbound-users] How to config whitelist for EDNS client subnetin unbound

余坤 yukun2005 at gmail.com
Tue Jan 6 14:51:20 UTC 2015

On Tue, Jan 6, 2015 at 10:07 PM, Miek Gieben <miek at miek.nl> wrote:

> [ Quoting <yuri at nlnetlabs.nl> in "Re: [Unbound-users] How to config w..."
> ]
>> Hi Larry,
>>  I think the best way to avoid getting non ecs answers when ecs is
>>> present would be to always pass the query to the ecs module.  Yes
>>> this would slow down non ecs queries, but would avoid the issue of
>>> returning a non ecs answer to an ecs query.  acceptable to anyone who
>>> chooses to enable ECS.
>> I'm afraid this would not work sufficiently. Unbound does not know
>> which source addresses get handled incorrectly by the authority. Thus,
>> if no match is found in the subnet-cache has no choice than to ask the
>> authority. Effectively Unbound won't be able to cache at all for the
>> CDN queries.
> this is effectively the text in the draft:
>    If the address of the client does not match any network in the cache,
>    then the Recursive Resolver MUST behave as if no match was found and
>    perform resolution as usual.  This is necessary to avoid suboptimal
>    replies in the cache from being returned to the wrong clients, and to
>    avoid a single request coming from a client on a different network
>    from polluting the cache with a suboptimal reply for all the users of
>    that resolver.
> This is why I believe compiling a list of DNS servers who support client
subnet is not enough. There should be another option to config a list of
domains which supports client subnet. Any records in these domains should
be cached in secondary cache instead of the primary one.

>  There are two ways to look at this IMHO:
>> 1) The setup is broken, you can't have authorities answer differently
>> and always expect to have an optimal answer.
> ? Isn't this exactly what a CND dns server does?
>  2) The draft is broken because it can not deal with this setup.
>> I fail to see a way to fix this problem AND adhere to the draft AND
>> not cause unexpected failures for anyone else. I'm open for fresh
>> ideas though.
>> Regards,
>> Yuri
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> /Miek
> --
> Miek Gieben
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20150106/bd922d5b/attachment.htm>

More information about the Unbound-users mailing list