Ralph Dolmans via Unbound-users:
Are you sure you are not looking at subqueries generated by Unbound,
like root priming queries or queries for the DNSKEY? We do not add ECS
data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)
and, surprise:
the data aren't unknown to wireshark :-)
I do not think we should document the any address case. Sending (privacy
sensitive) ECS data to all nameservers does not sound like a wise thing
to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.
Other question (man 5 unbound.conf)
... When an answer contains the ECS option the response and the
option are placed in a specialized cache.
I read it as
unbound send a query + ECS option to a nameserver. The response
from the nameserver
contain also a ECS option to indicate support. unbound place the
answer in a separate cache.
-> correct? -> why a separate cache?
thanks for your patience,
Andreas
