[Unbound-users] How to config whitelist for EDNS client subnetin unbound
余坤
yukun2005 at gmail.com
Tue Jan 6 14:51:20 UTC 2015
On Tue, Jan 6, 2015 at 10:07 PM, Miek Gieben <miek at miek.nl> wrote:
> [ Quoting <yuri at nlnetlabs.nl> in "Re: [Unbound-users] How to config w..."
> ]
>
>> Hi Larry,
>>
>> I think the best way to avoid getting non ecs answers when ecs is
>>> present would be to always pass the query to the ecs module. Yes
>>> this would slow down non ecs queries, but would avoid the issue of
>>> returning a non ecs answer to an ecs query. acceptable to anyone who
>>> chooses to enable ECS.
>>>
>>
>> I'm afraid this would not work sufficiently. Unbound does not know
>> which source addresses get handled incorrectly by the authority. Thus,
>> if no match is found in the subnet-cache has no choice than to ask the
>> authority. Effectively Unbound won't be able to cache at all for the
>> CDN queries.
>>
>
> this is effectively the text in the draft:
>
> If the address of the client does not match any network in the cache,
> then the Recursive Resolver MUST behave as if no match was found and
> perform resolution as usual. This is necessary to avoid suboptimal
> replies in the cache from being returned to the wrong clients, and to
> avoid a single request coming from a client on a different network
> from polluting the cache with a suboptimal reply for all the users of
> that resolver.
>
> This is why I believe compiling a list of DNS servers who support client
subnet is not enough. There should be another option to config a list of
domains which supports client subnet. Any records in these domains should
be cached in secondary cache instead of the primary one.
> There are two ways to look at this IMHO:
>> 1) The setup is broken, you can't have authorities answer differently
>> and always expect to have an optimal answer.
>>
>
> ? Isn't this exactly what a CND dns server does?
>
> 2) The draft is broken because it can not deal with this setup.
>>
>> I fail to see a way to fix this problem AND adhere to the draft AND
>> not cause unexpected failures for anyone else. I'm open for fresh
>> ideas though.
>>
>> Regards,
>> Yuri
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
>
> /Miek
>
> --
> Miek Gieben
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
--
Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20150106/bd922d5b/attachment.htm>
More information about the Unbound-users
mailing list