Your explanation makes sense but that still doesn't explain the original problems I see with pdns. see [1]. When pdns received the response for the 1st query, it should have a cache entry for scope prefix-length of 16 (btw, why don't I have that information when I dig against pdns?). When the 2nd query was fired against pdns, it recurses and get a response. Shouldn't it has a different cache entry as there is no edns client in the lookup so there is no scope prefix-length return at all? The 3rd query should've returned the same IP as the 1st query as subnet provided was the same. The cache implementation with edns client subnet for unbound dns works fine. see [2]. This seems to me it's a bug with pdns recursor.
[1]root@DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8129 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; Query time: 149 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:25:33 GMT 2017 ;; MSG SIZE rcvd: 97 root@DFW01-CPS01:~# dig @localhost morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55653 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net. ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net. a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183 ;; Query time: 35 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:25:46 GMT 2017 ;; MSG SIZE rcvd: 123 root@DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5744 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3589 IN CNAME ins-091.inscname.net. ins-091.inscname.net. 3589 IN CNAME a-sg08sl07.insnw.net. a-sg08sl07.insnw.net. 3589 IN A 192.33.31.183 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:25:57 GMT 2017 ;; MSG SIZE rcvd: 123 [2] root@PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11487 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns1.insnw.net. insnw.net. 86400 IN NS ns2.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 1679 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:26:37 GMT 2017 ;; MSG SIZE rcvd: 177 root@PAO03-ACCEL03:~# dig @localhost morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P2 <<>> @localhost morpheus-ien.insnw.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8120 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net. ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net. a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183 ;; AUTHORITY SECTION: insnw.net. 86391 IN NS ns1.insnw.net. insnw.net. 86391 IN NS ns2.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86390 IN A 192.33.29.21 ns2.insnw.net. 86390 IN A 192.33.29.22 ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:26:47 GMT 2017 ;; MSG SIZE rcvd: 191 root@PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49704 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;morpheus-ien.insnw.net. IN A ;; ANSWER SECTION: morpheus-ien.insnw.net. 3581 IN CNAME ien01-fra02.svc.insnw.net. ien01-fra02.svc.insnw.net. 581 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86381 IN NS ns1.insnw.net. insnw.net. 86381 IN NS ns2.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86381 IN A 192.33.29.21 ns2.insnw.net. 86381 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 03 17:26:56 GMT 2017 ;; MSG SIZE rcvd: 177 On Thursday, August 3, 2017, 1:21:47 AM PDT, Remi Gacogne <[email protected]> wrote: On 08/03/2017 12:04 AM, Shawn Zhou wrote: > I don't think that's the right behavior. If Client Subnet scope set to > 0, resolver should not cache it. > unbound DNS gives me the expected output as it cache has different > entries for different client subnet. Why is pdns recursor's > implementation different? rfc7871 states that a Client Subnet scope set to 0 should be cached and is suitable for all networks in section 7.3.1: Records that are cached as /0 because of a query's SOURCE PREFIX- LENGTH of 0 MUST be distinguished from those that are cached as /0 because of a response's SCOPE PREFIX-LENGTH of 0. The former should only be used for other /0 queries that the Intermediate Resolver receives, but the latter is suitable as a response for all networks. It also hints so in section 7.3: If no ECS option is contained in the response, the Intermediate Nameserver SHOULD treat this as being equivalent to having received a SCOPE PREFIX-LENGTH of 0, which is an answer suitable for all client addresses. Section 11.2 also states: [...] to send a matching response with SCOPE PREFIX-LENGTH set to 0 to get it cached for all hosts. I might of course be mistaken, but it seems to me that we are currently doing the right thing. -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
