Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Yuri Schaeffer
Wed Jan 7 23:23:48 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2015 07:32 PM, Over Dexia wrote:
> But I believe that would be mitigated by storing the no-ecs
> response with a source 0.0.0.0/0 (like Kun YU proposed) in the
> subnet cache. If all queries for that domain use this cache, the
> reply should be like intended.

Think about what having a scope netmask of 0 means:
	"The most specific answer available for your source IP has the first
0 bits in common with the address 0.0.0.0"

Thus any query will match this cache entry. Which will result in the
same behaviour as the current implementation.

//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlStsfQACgkQI3PTR4mhavjOlACeLaRnZA849R3ZbZcRZcNY45dg
5uYAnAzrQzv7SsX6a44y/YM032KGk3Lm
=T1fI
-----END PGP SIGNATURE-----