Unbound 1.6.2rc1 pre-release (EDNS-Subnet)
A. Schulze
sca at andreasschulze.de
Mon Apr 24 12:06:03 UTC 2017
Ralph Dolmans via Unbound-users:
> Are you sure you are not looking at subqueries generated by Unbound,
> like root priming queries or queries for the DNSKEY? We do not add ECS
> data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)
and, surprise:
the data aren't unknown to wireshark :-)
> I do not think we should document the any address case. Sending (privacy
> sensitive) ECS data to all nameservers does not sound like a wise thing
> to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.
Other question (man 5 unbound.conf)
... When an answer contains the ECS option the response and the
option are placed in a specialized cache.
I read it as
unbound send a query + ECS option to a nameserver. The response
from the nameserver
contain also a ECS option to indicate support. unbound place the
answer in a separate cache.
-> correct? -> why a separate cache?
thanks for your patience,
Andreas
More information about the Unbound-users
mailing list