On 03. 06. 20 14:44, Chris Adams wrote: > What is considered current best practice for recursive servers on > enabling EDNS client-subnet? > > I ask because I have a couple of recursive DNS servers at an independent > telephone company that are getting different answers for a certain large > website. The servers are in the same subnet, but one gets an IP > apparently in another country, while the other gets an IP in a nearby > state. The servers are configured identically (CentOS 7 with Unbound). > > I emailed the website's NOC, and their response was that the issue was > that "Most likely the issue is due to EDNS not being turned on with your > DNS server." I assume they were talking about EDNS client-subnet > (because they then gave an example dig with +subnet set). > > These servers are not configured to send client-subnet to anybody > (pretty much default Unbound config). They aren't serving clients from > outside the AS - I generally think of client-subnet as something you'd > use on a DNS server with a wide range of clients. Is it expected that I > should be enabling EDNS client-subnet on recursive servers? > > I do have some recursive servers that have a large set of clients (where > client-subnet might be useful) - should I just enable it for all > requests? In Unbound terms, enable "client-subnet-always-forward"?
In my view ECS is only useful if routing paths between: a) resolver & Internet b) client sending query to resolver & Internet are different. Netmasks in Unbound's max-client-subnet-ipv4/6 would ideally be as short as possible to cover just the prefix where causes the routing to differ and nothing more. As for client-subnet-always-forward... I do not understand what the manual attempts to say :-/ -- Petr Špaček @ CZ.NIC _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
