On Tue, Jan 6, 2015 at 10:07 PM, Miek Gieben <[email protected]> wrote: > [ Quoting <[email protected]> in "Re: [Unbound-users] How to config w..." > ] > >> Hi Larry, >> >> I think the best way to avoid getting non ecs answers when ecs is >>> present would be to always pass the query to the ecs module. Yes >>> this would slow down non ecs queries, but would avoid the issue of >>> returning a non ecs answer to an ecs query. acceptable to anyone who >>> chooses to enable ECS. >>> >> >> I'm afraid this would not work sufficiently. Unbound does not know >> which source addresses get handled incorrectly by the authority. Thus, >> if no match is found in the subnet-cache has no choice than to ask the >> authority. Effectively Unbound won't be able to cache at all for the >> CDN queries. >> > > this is effectively the text in the draft: > > If the address of the client does not match any network in the cache, > then the Recursive Resolver MUST behave as if no match was found and > perform resolution as usual. This is necessary to avoid suboptimal > replies in the cache from being returned to the wrong clients, and to > avoid a single request coming from a client on a different network > from polluting the cache with a suboptimal reply for all the users of > that resolver. > > This is why I believe compiling a list of DNS servers who support client subnet is not enough. There should be another option to config a list of domains which supports client subnet. Any records in these domains should be cached in secondary cache instead of the primary one.
> There are two ways to look at this IMHO: >> 1) The setup is broken, you can't have authorities answer differently >> and always expect to have an optimal answer. >> > > ? Isn't this exactly what a CND dns server does? > > 2) The draft is broken because it can not deal with this setup. >> >> I fail to see a way to fix this problem AND adhere to the draft AND >> not cause unexpected failures for anyone else. I'm open for fresh >> ideas though. >> >> Regards, >> Yuri >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >> > > /Miek > > -- > Miek Gieben > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -- Kun YU Ph.D. Candidate, Department of Electronic Engineering, Tsinghua University, Beijing, 100084, China. Mobile Phone:+86 13466535220
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
