[ Quoting <[email protected]> in "Re: [Unbound-users] How to config w..." ]
Hi Larry,
I think the best way to avoid getting non ecs answers when ecs is
present would be to always pass the query to the ecs module. Yes
this would slow down non ecs queries, but would avoid the issue of
returning a non ecs answer to an ecs query.
acceptable to anyone who chooses to enable ECS.
I'm afraid this would not work sufficiently. Unbound does not know
which source addresses get handled incorrectly by the authority. Thus,
if no match is found in the subnet-cache has no choice than to ask the
authority. Effectively Unbound won't be able to cache at all for the
CDN queries.
this is effectively the text in the draft:
If the address of the client does not match any network in the cache,
then the Recursive Resolver MUST behave as if no match was found and
perform resolution as usual. This is necessary to avoid suboptimal
replies in the cache from being returned to the wrong clients, and to
avoid a single request coming from a client on a different network
from polluting the cache with a suboptimal reply for all the users of
that resolver.
There are two ways to look at this IMHO:
1) The setup is broken, you can't have authorities answer differently
and always expect to have an optimal answer.
? Isn't this exactly what a CND dns server does?
2) The draft is broken because it can not deal with this setup.
I fail to see a way to fix this problem AND adhere to the draft AND
not cause unexpected failures for anyone else. I'm open for fresh
ideas though.
Regards,
Yuri
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
/Miek
--
Miek Gieben
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
