Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Miek Gieben
Tue Jan 6 16:16:23 CET 2015

[ Quoting <yukun2005 at> in "Re: [Unbound-users] How to config w..." ]
>> this is effectively the text in the draft:
>>    If the address of the client does not match any network in the cache,
>>    then the Recursive Resolver MUST behave as if no match was found and
>>    perform resolution as usual.  This is necessary to avoid suboptimal
>>    replies in the cache from being returned to the wrong clients, and to
>>    avoid a single request coming from a client on a different network
>>    from polluting the cache with a suboptimal reply for all the users of
>>    that resolver.
>> This is why I believe compiling a list of DNS servers who support client
>subnet is not enough. There should be another option to config a list of
>domains which supports client subnet. Any records in these domains should
>be cached in secondary cache instead of the primary one.

While I can see where you are coming from, but hardcoding this in a config
file is not an option.


Miek Gieben