I don't think that's the right behavior. If Client Subnet scope set to 0, resolver should not cache it.unbound DNS gives me the expected output as it cache has different entries for different client subnet. Why is pdns recursor's implementation different? root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30374 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns2.insnw.net. insnw.net. 86400 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 38 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:57:39 GMT 2017 ;; MSG SIZE rcvd: 177 root@DFW01-CPS02:~# dig @localhost morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15379 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net. ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net. a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183 ;; AUTHORITY SECTION: insnw.net. 86382 IN NS ns2.insnw.net. insnw.net. 86382 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86382 IN A 192.33.29.21 ns2.insnw.net. 86382 IN A 192.33.29.22 ;; Query time: 133 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:57:57 GMT 2017 ;; MSG SIZE rcvd: 191 root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16040 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3578 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 578 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86378 IN NS ns2.insnw.net. insnw.net. 86378 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86378 IN A 192.33.29.21 ns2.insnw.net. 86378 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:58:01 GMT 2017 ;; MSG SIZE rcvd: 177 root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3792 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 35.156.66.126/32/14 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns2.insnw.net. insnw.net. 86400 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 1 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:59:08 GMT 2017 ;; MSG SIZE rcvd: 177 root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 35.156.66.126/32/14 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3593 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 593 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86393 IN NS ns2.insnw.net. insnw.net. 86393 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86393 IN A 192.33.29.21 ns2.insnw.net. 86393 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:59:15 GMT 2017 ;; MSG SIZE rcvd: 177 root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21641 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3501 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 501 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86301 IN NS ns2.insnw.net. insnw.net. 86301 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86301 IN A 192.33.29.21 ns2.insnw.net. 86301 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 21:59:18 GMT 2017 ;; MSG SIZE rcvd: 177 root@DFW01-CPS02:~# dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12099 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: b537fab859d0a708de980e0b59824b5bf67f0190c854a967 (good) ; CLIENT-SUBNET: 127.0.0.1/32/0 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net. ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net. a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns2.insnw.net. insnw.net. 86400 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: 192.33.29.21#53(192.33.29.21) ;; WHEN: Wed Aug 02 21:59:55 GMT 2017 ;; MSG SIZE rcvd: 231 root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10178 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3459 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 459 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86259 IN NS ns2.insnw.net. insnw.net. 86259 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86259 IN A 192.33.29.21 ns2.insnw.net. 86259 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Aug 02 22:00:00 GMT 2017 ;; MSG SIZE rcvd: 177 On Wednesday, August 2, 2017, 2:02:43 AM PDT, Remi Gacogne <[email protected]> wrote: Hi Shawn, On 08/02/2017 08:47 AM, Shawn Zhou wrote: > Sorry. I meant the authoritative nameserver did respond with the correct > answer. The authoritative server answers with a EDNS Client Subnet scope set to 0 when we send a query with a source set to 127.0.0.1/32, meaning that we can cache the answer and use it for any source: $ dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net ; <<>> DiG 9.11.2 <<>> @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41118 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: b560d095f78df047eb13a9a85981941eb2b38c5376e87bb2 (good) ; CLIENT-SUBNET: 127.0.0.1/32/0 [...] Once this answer is in our cache, we will use it until it expires and won't look for most specific answers, regardless of the ECS value of the query. -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
