Maintained by: NLnet Labs

[Unbound-users] edns client subnets

Yuri Schaeffer
Sat May 3 01:55:14 CEST 2014

Hash: SHA1

Hi Larry,

Thank you, this is very useful indeed!

> 1) The returned record does not update based on geoip when using 
> different subnets.  This happen only when the first request a given
> name does not have a client subnet passed with it:
> 1) dig: answer x 2) dig +client: answer x ( 3)
> flush cache 4) dig +client: answer y (

I'm aware of this and don't consider it an issue. It is doing best
effort for ECS queries to non whitelisted servers, but does not go the
extra mile to get an optimal answer. A quick explanation on what is

at 1) the query is not in the cache, a full recurse is started. Since
you don't have the particular authority whitelisted no ECS is passed
to it. The answer will end up in the regular cache. Subsequent queries
are looked up in that cache directly without going to the whole module
chain, making it cheap.

at 2) ECS is passed in the query, this time the initial cache lookup
is skipped as ECS queries are in a secondary cache. Of course this
cache is empty and thus a full recurse is started. This recurse grabs
records from the cache as much as possible and indeed, the record is
in the cache and no packets need to go over the wire.

Had the server been whitelisted, unbound would have sent ECS to it in
step 1). And the answer would not end up in the regular cache.

> 2) The TTL returned when edns-subnet is passed does not change over
> time: 3) unbound-control marks all edns-subnet hits as misses:

Indeed! I had not considered this before. I see what I can do after
the weekend. Thanks for reporting your findings.

Version: GnuPG v1
Comment: Using GnuPG with Icedove -