Hi Andreas, Are you sure you are not looking at subqueries generated by Unbound, like root priming queries or queries for the DNSKEY? We do not add ECS data to these queries.
I do not think we should document the any address case. Sending (privacy sensitive) ECS data to all nameservers does not sound like a wise thing to do. Regards, -- Ralph On 24-04-17 11:47, A. Schulze via Unbound-users wrote: > > Ralph Dolmans via Unbound-users: > >> Any chance that the nameservers Unbound is sending queries to are not on >> the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to >> whitelisted addresses. > > Ralf. > > 2000::/3 should cover any IPv6 nameserver. > just added "send-client-subnet: 0.0.0.0/0" to cover IPv4 also > ( suggestion: document the "any address" case ) > but no visible change in packet traces > > every time I > 1. restart unbound > 2. capture any traffic on Port 53 > 3. send a query "dig @resolver google.com. ns" > 4. stop & inspect the trace > > Andreas
