Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Wed Dec 24 10:07:52 CET 2014

Hi Larry, Yuri
After a few days of testing, I'm afraid that this branch is not ready for
production use yet. First, just like Larry has pointed out, RTT value in
ECS cache does not decrease.
Second, when a domain supports ECS partially, unbound may cache suboptimal
results. For instance, supports ECS in China, i.e. all name
servers of in China responses correctly when ECS is set in the
query. But uses Akamai to deliver contents outside China. When
unbound receives a query of with client=, the name
server of will redirect this query to Akamai. As we all know, Akamai
doesn's support ECS, so name server of Akamai will rerurn a resource record
without ECS option. This record ends up in the ordinary cache of unbount!
How did I find out this record is cached in the ordinary cache? Because the
TTL value of this records does decrease!
So subsequent queries of without ECS option will be replied with an
IP address in America! This may cause severe performance downgrade.
A more specific example:
dig @
;; ANSWER SECTION: 300 IN A  <= IP in Beijing China

./dig @ +client=
; EDNS: version: 0, flags:; udp: 4096
; IN A

;; ANSWER SECTION: 300 IN A <= IP in another city of China

So far so good, now ask unbound with an IP address in America:

./dig @ +client=
; EDNS: version: 0, flags:; udp: 4096
; IN A

;; ANSWER SECTION: 299 IN CNAME 21600 IN CNAME 20 IN A  <= Akamai's IP address 20 IN A

Now query unbound without ECS option:
./dig @
;; ANSWER SECTION: 292 IN CNAME 21593 IN CNAME 13 IN A  <= Still Akamai's address! 13 IN A

;; Query time: 0 msec <= get result from cache

In this way, unbound stores a sub optimal record in the main cache,
subsequent queries will all get this record. This is not acceptable because
it will cause too much inter-continent traffic.
Since ECS is not a RFC yet, I assume partial support of ECS is quite
common. Return sub optimal results to clients can cause serious performance
IMHO, unbound should provide a way to config which domain should be stored
in ECS cache. In this way, even some of the name servers of a domain do not
support ECS, all the records of this domain will be stored in ECS cache.
Records without ECS information will have a subnet of The best
choice can be determined by longest prefix match of client subnet.


On Fri, Dec 19, 2014 at 2:03 AM, Larry Havemann <larry at> wrote:

> Just a simple warning on using this branch, none of the issues detailed in
> this mailing list thread have been addressed:
> -Larry
> -Larry
> On Thu, Dec 18, 2014 at 2:13 AM, Yuri Schaeffer <yuri at> wrote:
>> Hash: SHA1
>> > very thanks. Do the unbound cache the result that contain
>> > edns-client-subnet information?
>> Yes!
>> It has an additional cache for ECS responses. For performance reasons
>> lookups in this cache are only done when there are reasons to believe
>> it is necessary. I.e. 1) When an answer is not found in the regular
>> cache and the authority server is whitelisted. or 2) The client
>> includes ECS option.
>> //Yuri
>> Version: GnuPG v1
>> WcUAn3zQ0WDD9lsonKs3XdB8PKmEmXjM
>> =3o06
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at

Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>