Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Yuri Schaeffer
Tue Jan 6 14:46:16 CET 2015

Hash: SHA1

Hi Larry,

> I think the best way to avoid getting non ecs answers when ecs is 
> present would be to always pass the query to the ecs module.  Yes
> this would slow down non ecs queries, but would avoid the issue of
> returning a non ecs answer to an ecs query.  I think this should be
> acceptable to anyone who chooses to enable ECS.

I'm afraid this would not work sufficiently. Unbound does not know
which source addresses get handled incorrectly by the authority. Thus,
if no match is found in the subnet-cache has no choice than to ask the
authority. Effectively Unbound won't be able to cache at all for the
CDN queries.

There are two ways to look at this IMHO:
1) The setup is broken, you can't have authorities answer differently
and always expect to have an optimal answer.
2) The draft is broken because it can not deal with this setup.

I fail to see a way to fix this problem AND adhere to the draft AND
not cause unexpected failures for anyone else. I'm open for fresh
ideas though.

Version: GnuPG v1