Maintained by: NLnet Labs

[Unbound-users] ends client subnet testing

DeJong, Steve
Thu May 7 22:20:57 CEST 2015

On 5/7/15, 11:47 AM, "Yuri Schaeffer" <yuri at> wrote:

>I don't think I'd agree.

Yuri, we see this kind of setup frequently with www records. The
authoritative zone will have www be an ECS capable record that will give
back CNAME records depending on the geographic location of the client.  In
many cases those CNAMEs will point to a CDN or other hosting provider
outside the zone and often on a different authoritative resolver. The
actual A record referenced may not support ECS queries or may not provide
ECS information in the response.

Client A from NewYork looks up
ECS enabled recursor (Unbound) asks the authoritative for
with subnet information
Auth resolver responds with ECS specific CNAME for a CDN in eastern United
States with appropriate source and scope masks
Unbound chases the CNAME to get the address again providing subnet
Auth resolver either doesn¹t support ECS or chooses to set the scope mask
to 0 for the A record response

At this point Unbound has a CNAME that is ECS specific and an A that is
not. It will use the 0 scope for the CNAME as well as the A and cache the

Now client B from London looks up
Unbound has a cached response that technically is an ECS specific CNAME
for the eastern US - but because the scope mask was 0 on the A record
chase the server hands that answer back to the London client.

Probably not the result the owner of was intending.