Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Over Dexia
Tue Jan 6 19:32:14 CET 2015


Am 06.01.2015 um 18:06 schrieb Larry Havemann:
> How about adding a flag to the rrset cache for each authority.  If the
> flag shows ecs support pass it to that module if not send it to regular
> cache.  Ask every authority not in the rrset cache if it supports ecs
> before sending it the query.

That would induce the penalty of consulting the ecs module first for all
domains supporting it, even if it isn't required by the query, which was
to be avoided...

Also there's Yuris objection against using ecs always:

Am 06.01.2015 um 14:46 schrieb Yuri Schaeffer:
> I'm afraid this would not work sufficiently. Unbound does not know
> which source addresses get handled incorrectly by the authority. Thus,
> if no match is found in the subnet-cache has no choice than to ask the
> authority. Effectively Unbound won't be able to cache at all for the
> CDN queries.

But I believe that would be mitigated by storing the no-ecs response
with a source 0.0.0.0/0 (like Kun YU proposed) in the subnet cache. If
all queries for that domain use this cache, the reply should be like
intended.

regards, jo.