<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:medium;"><div>Hi,</div><div><br></div><div>I am trying out pdns recursor 4.0.6 on Ubuntu Xenial and cache lookup for same record with and without client subnet give me the same result which is not expected. I expect [3] to return a different value as the cache should have different value based on client subnet. I wonder if that's bug with edns-client-subnet implementation with pdns or I miss something in the configuration file.</div><div><br></div><div>Also, I noticed dig doesn't show "CLIENT-SUBNET: 52.57.28.138/32/16" when I dig against pdns but I get that when I dig it against the authoritative directly. see [4].</div><div><br></div><div>root@DFW01-CPS01:~# /etc/init.d/pdns-recursor restart<br> * Restarting PowerDNS recursor pdns-recursor<br>Aug 02 05:23:14 PowerDNS Recursor 4.0.6 (C) 2001-2016 PowerDNS.COM BV<br>Aug 02 05:23:14 Using 64-bits mode. Built using gcc 5.4.0 20160609 on Jul 4 2017 15:43:52 by root@5ee67e1ed1a4.<br>Aug 02 05:23:14 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.<br>Aug 02 05:23:14 Reading random entropy from '/dev/urandom'<br>Aug 02 05:23:14 If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384<br>Aug 02 05:23:14 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable<br>Aug 02 05:23:14 Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10<br>Aug 02 05:23:14 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::<br>Aug 02 05:23:14 PowerDNS Recursor itself will distribute queries over threads<br>Aug 02 05:23:14 Inserting rfc 1918 private space zones<br>Aug 02 05:23:14 Listening for UDP queries on 127.0.0.1:53<br>Aug 02 05:23:14 Enabled TCP data-ready filter for (slight) DoS protection<br>Aug 02 05:23:14 Listening for TCP queries on 127.0.0.1:53<br>Aug 02 05:23:14 Calling daemonize, going to background<br> ...done.<br>root@DFW01-CPS01:~# dig @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26479<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; Query time: 142 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Wed Aug 02 05:24:06 GMT 2017<br>;; MSG SIZE rcvd: 97<br><br>root@DFW01-CPS01:~# dig @127.0.0.1 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 437<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183<br><br>;; Query time: 25 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Wed Aug 02 05:24:18 GMT 2017<br>;; MSG SIZE rcvd: 123<br><br><br>[3]<br>root@DFW01-CPS01:~# dig @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19051<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3594 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3594 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3594 IN A 192.33.31.183<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Wed Aug 02 05:24:24 GMT 2017<br>;; MSG SIZE rcvd: 123<br></div><div><br></div><div>[4]</div><div>szhou@DFW01-CPS01:~$ dig @ns1.insnw.net +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35637<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br>;; WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; COOKIE: bd357c1c04caaf44f7b0369b59816753474676b8d8dc2509 (good)<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86400 IN NS ns2.insnw.net.<br>insnw.net. 86400 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86400 IN A 192.33.29.21<br>ns2.insnw.net. 86400 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: 192.33.29.21#53(192.33.29.21)<br>;; WHEN: Wed Aug 02 05:46:59 GMT 2017<br>;; MSG SIZE rcvd: 205<br></div><div><br></div><div>root@DFW01-CPS01:/etc/powerdns# grep -v \# /etc/powerdns/recursor.conf | sed -e '/^$/d'<br>config-dir=/etc/powerdns<br>ecs-ipv4-bits=16<br>edns-subnet-whitelist=insnw.net<br>local-address=127.0.0.1<br>loglevel=9<br>setgid=pdns<br>setuid=pdns<br>use-incoming-edns-subnet=yes<br></div><div><br></div><div><br></div></div></body></html>