Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

Ralph Dolmans ralph at nlnetlabs.nl
Mon Apr 24 11:29:58 UTC 2017


Hi Andreas,

Are you sure you are not looking at subqueries generated by Unbound,
like root priming queries or queries for the DNSKEY? We do not add ECS
data to these queries.

I do not think we should document the any address case. Sending (privacy
sensitive) ECS data to all nameservers does not sound like a wise thing
to do.

Regards,
-- Ralph

On 24-04-17 11:47, A. Schulze via Unbound-users wrote:
> 
> Ralph Dolmans via Unbound-users:
> 
>> Any chance that the nameservers Unbound is sending queries to are not on
>> the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to
>> whitelisted addresses.
> 
> Ralf.
> 
> 2000::/3 should cover any IPv6 nameserver.
> just added "send-client-subnet: 0.0.0.0/0" to cover IPv4 also
> ( suggestion: document the "any address" case )
> but no visible change in packet traces
> 
> every time I
> 1. restart unbound
> 2. capture any traffic on Port 53
> 3. send a query "dig @resolver google.com. ns"
> 4. stop & inspect the trace
> 
> Andreas



More information about the Unbound-users mailing list