Maintained by: NLnet Labs

[Unbound-users] How to config whitelist for EDNS client subnetin unbound

Larry Havemann
Wed Jan 7 23:41:48 CET 2015

On Tue, Jan 6, 2015 at 10:32 AM, Over Dexia <over at> wrote:

> Am 06.01.2015 um 18:06 schrieb Larry Havemann:
> > How about adding a flag to the rrset cache for each authority.  If the
> > flag shows ecs support pass it to that module if not send it to regular
> > cache.  Ask every authority not in the rrset cache if it supports ecs
> > before sending it the query.
> That would induce the penalty of consulting the ecs module first for all
> domains supporting it, even if it isn't required by the query, which was
> to be avoided...
The idea here is to use the ecs module more when enabled not less.  The
rrset cache is shared between the ecs module and normal unbound.  So asking
the rrset cache if the authority supports ecs before querying the authority
does not touch the ecs module.  The penalty you would take with this
approach is if the authority is not yet in the rrset cache you would have
to ask it if it supports ecs.  But again, so long as it is documented
anyone enabling ecs should know there will be a small penalty.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>