Maintained by: NLnet Labs

[Unbound-users] edns client subnets

Larry Havemann
Fri May 2 22:00:25 CEST 2014


Hi Yuri,

I've done a bit of testing with this and found a few issues.

1) The returned record does not update based on geoip when using different
subnets.  This happen only when the first request a given name does not
have a client subnet passed with it:

root at dnsr001:~/src/edns-subnet# /EdgeCast/ecdns/bin/dig_iana +ttl
@localhost gp1.wpc.edgecastcdn.net

; <<>> DiG 9.9.3-P1 <<>> +ttl @localhost gp1.wpc.edgecastcdn.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43765
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gp1.wpc.edgecastcdn.net. IN A

;; ANSWER SECTION:
gp1.wpc.edgecastcdn.net. 3600 IN A 72.21.81.253

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 02 19:48:02 UTC 2014
;; MSG SIZE  rcvd: 68

root at dnsr001:~/src/edns-subnet# cd util/data/^C
root at dnsr001:~/src/edns-subnet# /EdgeCast/ecdns/bin/dig_iana +ttl
@localhost gp1.wpc.edgecastcdn.net  +client=110.232.0.0/24

; <<>> DiG 9.9.3-P1 <<>> +ttl @localhost gp1.wpc.edgecastcdn.net +client=
110.232.0.0/24
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21321
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 110.232.0.0/24/0
;; QUESTION SECTION:
;gp1.wpc.edgecastcdn.net. IN A

;; ANSWER SECTION:
gp1.wpc.edgecastcdn.net. 3591 IN A 72.21.81.253

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 02 19:48:11 UTC 2014
;; MSG SIZE  rcvd: 79

root at dnsr001:~/src/edns-subnet# unbound-control flush
gp1.wpc.edgecastcdn.net
ok

root at dnsr001:~/src/edns-subnet# /EdgeCast/ecdns/bin/dig_iana +ttl
@localhost gp1.wpc.edgecastcdn.net  +client=110.232.0.0/24

; <<>> DiG 9.9.3-P1 <<>> +ttl @localhost gp1.wpc.edgecastcdn.net +client=
110.232.0.0/24
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 110.232.0.0/24/19
;; QUESTION SECTION:
;gp1.wpc.edgecastcdn.net. IN A

;; ANSWER SECTION:
gp1.wpc.edgecastcdn.net. 3600 IN A 117.18.232.133

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 02 19:48:56 UTC 2014
;; MSG SIZE  rcvd: 79



2) The TTL returned when edns-subnet is passed does not change over time:

At one point I had a working patch to fix this issue, however I am unable
to find the whole patch at this time.  I do have a small patch that sets
the correct ttl in the reply from edns-subnet/subnetmod.c to
utils/data/msgreply.c however I'm missing the msgreply.c piece that
correctly set the response.(See attached patch for the first part)  I
believe this is happening because the cache tree for client-subnets is
different from the standard cache tree.

root at dnsr001:~/src/edns-subnet# date; /EdgeCast/ecdns/bin/dig_iana
@localhost gp1.wpc.edgecastcdn.net  +client=110.232.0.0/24
Fri May  2 16:23:20 UTC 2014

; <<>> DiG 9.9.3-P1 <<>> @localhost gp1.wpc.edgecastcdn.net +client=
110.232.0.0/24
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33335
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 110.232.0.0/24/19
;; QUESTION SECTION:
;gp1.wpc.edgecastcdn.net. IN A

;; ANSWER SECTION:
gp1.wpc.edgecastcdn.net. 3600 IN A 117.18.232.133

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 02 16:23:20 UTC 2014
;; MSG SIZE  rcvd: 79

root at dnsr001:~/src/edns-subnet# date; /EdgeCast/ecdns/bin/dig_iana
@localhost gp1.wpc.edgecastcdn.net  +client=110.232.0.0/24
Fri May  2 16:29:49 UTC 2014

; <<>> DiG 9.9.3-P1 <<>> @localhost gp1.wpc.edgecastcdn.net +client=
110.232.0.0/24
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 110.232.0.0/24/19
;; QUESTION SECTION:
;gp1.wpc.edgecastcdn.net. IN A

;; ANSWER SECTION:
gp1.wpc.edgecastcdn.net. 3600 IN A 117.18.232.133

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 02 16:29:49 UTC 2014
;; MSG SIZE  rcvd: 79

3) unbound-control marks all edns-subnet hits as misses:
root at dnsr001:~/src/edns-subnet# unbound-control stats_noreset
thread0.num.queries=5
thread0.num.cachehits=0
thread0.num.cachemiss=5
thread0.num.prefetch=0
thread0.num.recursivereplies=5
thread0.requestlist.avg=0
thread0.requestlist.max=0
thread0.requestlist.overwritten=0
thread0.requestlist.exceeded=0
thread0.requestlist.current.all=0
thread0.requestlist.current.user=0
thread0.recursion.time.avg=0.000522
thread0.recursion.time.median=6.25e-07
total.num.queries=5
total.num.cachehits=0
total.num.cachemiss=5
total.num.prefetch=0
 total.num.recursivereplies=5
total.requestlist.avg=0
total.requestlist.max=0
total.requestlist.overwritten=0
total.requestlist.exceeded=0
total.requestlist.current.all=0
total.requestlist.current.user=0
total.recursion.time.avg=0.000522
total.recursion.time.median=6.25e-07
time.now=1399048264.960805
time.up=616.002507
time.elapsed=616.002507

May 02 16:29:49 unbound[13363:0] info: 127.0.0.1 gp1.wpc.edgecastcdn.net. A
IN
May 02 16:29:49 unbound[13363:0] debug: udp request from ip4 127.0.0.1 port
50867 (len 16)
May 02 16:29:49 unbound[13363:0] debug: mesh_run: start
May 02 16:29:49 unbound[13363:0] debug: subnet[module 0] operate:
extstate:module_state_initial event:module_event_new
May 02 16:29:49 unbound[13363:0] info: subnet operate: query
gp1.wpc.edgecastcdn.net. A IN
May 02 16:29:49 unbound[13363:0] debug: subnet: answered from cache




-Larry


On Thu, May 1, 2014 at 1:52 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Larry,
>
> > I was wondering if there was a timeline for completing this
> > addition to unbound.  Looking at the svn branch for edns client
> > subnets it looks like the last commit was about 6 months
> > ago(2013/11/19).
>
> There have been no commits to this branch since then because the
> feature is complete. We've been in a catch-22: To our knowledge nobody
> actually tried to use it so we are hesitant to call it production
> code, but everyone interested seems to wait until we call it
> production code.
>
> To get out of this situation we've decided to include it as a patch in
> contrib/ of the regular release. We do however need to do some work to
> get it there (think continues integration tests). I don't have a clear
> timeline for it as it is low priority, but I intend to allocate some
> time for it each week.
>
> Regards,
> Yuri
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>
> iEYEARECAAYFAlNitBgACgkQI3PTR4mhavg9ggCeNz3jtk0UHagY6MJRACcXTf1K
> P0MAoInQiPsZGv9AyoZce3/ZGt9/37Pd
> =HfnZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140502/a61a62e6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: subnetmod.c-patch
Type: application/octet-stream
Size: 384 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140502/a61a62e6/attachment.obj>