ends client subnet testing

Shawn Zhou shawnzhou00 at yahoo.com
Wed Feb 14 23:57:36 UTC 2018 

Hello,
I am testing ecs support using unbound 1.6.4 and I face the same problem that another user reported back in May 6, 2015.
I have a CNAME record that is managed by my own authoritative that has edns support and with expected scope prefix-length (/16 as in my example [1]) and that record points to another CNAME which is managed by AWS DNS which responded with scope prefix-length /0. unbound cached the response with scope prefix-length /0 rather than /16 and subsequent lookups for the same record with different client-subnet got served from that cache. This is a bit surprising as it is counter-intuitive to not use the max prefix-length from the whole chain for caching responses.
Is there a plan for unbound to start to implement using max prefix-length from whole chain for cache lookup?
Also, when unbound caches each of the lookup for records in the chain? does it have separate cache entries for each lookup or only one entry for the RRsets for the whole chain?


[1]
$ dig @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44886
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.65.177.7/32/0
;; QUESTION SECTION:
;egress01.insnw.net.        IN  A

;; ANSWER SECTION:
egress01.insnw.net. 300 IN  CNAME   ofetch01-syd02.svc.insnw.net.
ofetch01-syd02.svc.insnw.net. 600 IN    CNAME   nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com.
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 13.54.22.31
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 52.64.79.11

;; AUTHORITY SECTION:
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-1110.awsdns-10.org.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-13.awsdns-01.com.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-1571.awsdns-04.co.uk.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-527.awsdns-01.net.

;; Query time: 1462 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 14 23:23:02 UTC 2018
;; MSG SIZE  rcvd: 324

$ dig @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10223
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;egress01.insnw.net.        IN  A

;; ANSWER SECTION:
egress01.insnw.net. 277 IN  CNAME   ofetch01-syd02.svc.insnw.net.
ofetch01-syd02.svc.insnw.net. 577 IN    CNAME   nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com.
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 13.54.22.31
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 52.64.79.11

;; AUTHORITY SECTION:
elb.ap-southeast-2.amazonaws.com. 172777 IN NS  ns-1110.awsdns-10.org.
elb.ap-southeast-2.amazonaws.com. 172777 IN NS  ns-13.awsdns-01.com.
elb.ap-southeast-2.amazonaws.com. 172777 IN NS  ns-1571.awsdns-04.co.uk.
elb.ap-southeast-2.amazonaws.com. 172777 IN NS  ns-527.awsdns-01.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 14 23:23:25 UTC 2018
;; MSG SIZE  rcvd: 312

$ dig @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138

; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11138
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 45e8e0a01ad26d47ab5fd11c5a84c51ee9a8998944593e1d (good)
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;egress01.insnw.net.        IN  A

;; ANSWER SECTION:
egress01.insnw.net. 300 IN  CNAME   ofetch01-fra02.svc.insnw.net.
ofetch01-fra02.svc.insnw.net. 600 IN    A   35.156.66.126

;; AUTHORITY SECTION:
insnw.net.      86400   IN  NS  ns2.insnw.net.
insnw.net.      86400   IN  NS  ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.      86400   IN  A   192.33.29.21
ns2.insnw.net.      86400   IN  A   192.33.29.22

;; Query time: 0 msec
;; SERVER: 192.33.29.21#53(192.33.29.21)
;; WHEN: Wed Feb 14 23:24:14 UTC 2018
;; MSG SIZE  rcvd: 204

$ dig @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7

; <<>> DiG 9.11.0-P3 <<>> @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36514
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.65.177.7/32/0
;; QUESTION SECTION:
;nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. IN A

;; ANSWER SECTION:
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 13.54.22.31
nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 52.64.79.11

;; AUTHORITY SECTION:
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-1110.awsdns-10.org.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-13.awsdns-01.com.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-1571.awsdns-04.co.uk.
elb.ap-southeast-2.amazonaws.com. 172800 IN NS  ns-527.awsdns-01.net.

;; Query time: 161 msec
;; SERVER: 2600:9000:5304:5600::1#53(2600:9000:5304:5600::1)
;; WHEN: Wed Feb 14 23:24:48 UTC 2018
;; MSG SIZE  rcvd: 262

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180214/bbe60f9e/attachment.htm>

More information about the Unbound-users mailing list