Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

A. Schulze sca at andreasschulze.de
Mon Apr 24 12:06:03 UTC 2017

Ralph Dolmans via Unbound-users:

> Are you sure you are not looking at subqueries generated by Unbound,
> like root priming queries or queries for the DNSKEY? We do not add ECS
> data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)

and, surprise:
the data aren't unknown to wireshark :-)

> I do not think we should document the any address case. Sending (privacy
> sensitive) ECS data to all nameservers does not sound like a wise thing
> to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.

Other question (man 5 unbound.conf)

   ... When an answer contains the ECS option the response and the
   option are placed in a specialized cache.

I read it as
   unbound send a query + ECS option to a nameserver. The response  
from the nameserver
   contain also a ECS option to indicate support. unbound place the  
answer in a separate cache.

-> correct? -> why a separate cache?

thanks for your patience,

More information about the Unbound-users mailing list