Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Tue Jan 6 16:39:50 CET 2015

recall this option:"send-client-subnet: <IP address>"
although send-client-subnet command support IP prefix, it's not easy to
aggregate DNS servers that support ECS.
It's safe to assume the number of DNS servers and the number of domains
that support ECS are comparable. Thus compiling a list of domains with ECS
support in the config file is totally possible, especially when ECS is not
wildly used nowadays.

On Tue, Jan 6, 2015 at 11:16 PM, Miek Gieben <miek at> wrote:

> [ Quoting <yukun2005 at> in "Re: [Unbound-users] How to config
> w..." ]
>> this is effectively the text in the draft:
>>>    If the address of the client does not match any network in the cache,
>>>    then the Recursive Resolver MUST behave as if no match was found and
>>>    perform resolution as usual.  This is necessary to avoid suboptimal
>>>    replies in the cache from being returned to the wrong clients, and to
>>>    avoid a single request coming from a client on a different network
>>>    from polluting the cache with a suboptimal reply for all the users of
>>>    that resolver.
>>> This is why I believe compiling a list of DNS servers who support client
>> subnet is not enough. There should be another option to config a list of
>> domains which supports client subnet. Any records in these domains should
>> be cached in secondary cache instead of the primary one.
> While I can see where you are coming from, but hardcoding this in a config
> file is not an option.
> /Miek
> --
> Miek Gieben

Kun YU
Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University,
Beijing, 100084, China.
Mobile Phone:+86 13466535220
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>