Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Miek Gieben
Tue Jan 6 15:07:48 CET 2015

[ Quoting <yuri at> in "Re: [Unbound-users] How to config w..." ]
>Hi Larry,
>> I think the best way to avoid getting non ecs answers when ecs is 
>> present would be to always pass the query to the ecs module.  Yes
>> this would slow down non ecs queries, but would avoid the issue of
>> returning a non ecs answer to an ecs query.  
>> acceptable to anyone who chooses to enable ECS.
>I'm afraid this would not work sufficiently. Unbound does not know
>which source addresses get handled incorrectly by the authority. Thus,
>if no match is found in the subnet-cache has no choice than to ask the
>authority. Effectively Unbound won't be able to cache at all for the
>CDN queries.

this is effectively the text in the draft:

    If the address of the client does not match any network in the cache,
    then the Recursive Resolver MUST behave as if no match was found and
    perform resolution as usual.  This is necessary to avoid suboptimal
    replies in the cache from being returned to the wrong clients, and to
    avoid a single request coming from a client on a different network
    from polluting the cache with a suboptimal reply for all the users of
    that resolver.

>There are two ways to look at this IMHO:
>1) The setup is broken, you can't have authorities answer differently
>and always expect to have an optimal answer.

? Isn't this exactly what a CND dns server does?

>2) The draft is broken because it can not deal with this setup.
>I fail to see a way to fix this problem AND adhere to the draft AND
>not cause unexpected failures for anyone else. I'm open for fresh
>ideas though.
>Unbound-users mailing list
>Unbound-users at


Miek Gieben