<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:medium;"><div><div>I don't think that's the right behavior. If Client Subnet scope set to 0, resolver should not cache it.</div></div><div>unbound DNS gives me the expected output as it cache has different entries for different client subnet. Why is pdns recursor's implementation different?</div><div><br></div><div>root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30374<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86400 IN NS ns2.insnw.net.<br>insnw.net. 86400 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86400 IN A 192.33.29.21<br>ns2.insnw.net. 86400 IN A 192.33.29.22<br><br>;; Query time: 38 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:57:39 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@DFW01-CPS02:~# dig @localhost morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15379<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86382 IN NS ns2.insnw.net.<br>insnw.net. 86382 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86382 IN A 192.33.29.21<br>ns2.insnw.net. 86382 IN A 192.33.29.22<br><br>;; Query time: 133 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:57:57 GMT 2017<br>;; MSG SIZE rcvd: 191<br><br>root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16040<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3578 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 578 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86378 IN NS ns2.insnw.net.<br>insnw.net. 86378 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86378 IN A 192.33.29.21<br>ns2.insnw.net. 86378 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:58:01 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3792<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 35.156.66.126/32/14<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86400 IN NS ns2.insnw.net.<br>insnw.net. 86400 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86400 IN A 192.33.29.21<br>ns2.insnw.net. 86400 IN A 192.33.29.22<br><br>;; Query time: 1 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:59:08 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53600<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 35.156.66.126/32/14<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3593 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 593 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86393 IN NS ns2.insnw.net.<br>insnw.net. 86393 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86393 IN A 192.33.29.21<br>ns2.insnw.net. 86393 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:59:15 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21641<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3501 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 501 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86301 IN NS ns2.insnw.net.<br>insnw.net. 86301 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86301 IN A 192.33.29.21<br>ns2.insnw.net. 86301 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 21:59:18 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@DFW01-CPS02:~# dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12099<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3<br>;; WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; COOKIE: b537fab859d0a708de980e0b59824b5bf67f0190c854a967 (good)<br>; CLIENT-SUBNET: 127.0.0.1/32/0<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86400 IN NS ns2.insnw.net.<br>insnw.net. 86400 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86400 IN A 192.33.29.21<br>ns2.insnw.net. 86400 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: 192.33.29.21#53(192.33.29.21)<br>;; WHEN: Wed Aug 02 21:59:55 GMT 2017<br>;; MSG SIZE rcvd: 231<br><br>root@DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10178<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3459 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 459 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86259 IN NS ns2.insnw.net.<br>insnw.net. 86259 IN NS ns1.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86259 IN A 192.33.29.21<br>ns2.insnw.net. 86259 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: ::1#53(::1)<br>;; WHEN: Wed Aug 02 22:00:00 GMT 2017<br>;; MSG SIZE rcvd: 177<br></div><div><br></div><hr><div id="ydp209fa65ayahoo_quoted_2320820729" class="ydp209fa65ayahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div>On Wednesday, August 2, 2017, 2:02:43 AM PDT, Remi Gacogne <remi.gacogne@powerdns.com> wrote:</div><div><br></div><div><br></div><div><div dir="ltr">Hi Shawn,<br clear="none"><div class="ydp209fa65ayqt5245805324" id="ydp209fa65ayqtfd29903"><br clear="none">On 08/02/2017 08:47 AM, Shawn Zhou wrote:<br clear="none">> Sorry. I meant the authoritative nameserver did respond with the correct answer. </div><br clear="none"><br clear="none">The authoritative server answers with a EDNS Client Subnet scope set to<br clear="none">0 when we send a query with a source set to 127.0.0.1/32, meaning that<br clear="none">we can cache the answer and use it for any source:<br clear="none"><br clear="none">$ dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net<br clear="none"><br clear="none">; <<>> DiG 9.11.2 <<>> @ns1.insnw.net +subnet=127.0.0.1<br clear="none">morpheus-ien.insnw.net<br clear="none">; (1 server found)<br clear="none">;; global options: +cmd<br clear="none">;; Got answer:<br clear="none">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41118<br clear="none">;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3<br clear="none">;; WARNING: recursion requested but not available<br clear="none"><br clear="none">;; OPT PSEUDOSECTION:<br clear="none">; EDNS: version: 0, flags:; udp: 4096<br clear="none">; COOKIE: b560d095f78df047eb13a9a85981941eb2b38c5376e87bb2 (good)<br clear="none">; CLIENT-SUBNET: 127.0.0.1/32/0<br clear="none">[...]<br clear="none"><br clear="none">Once this answer is in our cache, we will use it until it expires and<br clear="none">won't look for most specific answers, regardless of the ECS value of the<br clear="none">query.<br clear="none"><br clear="none">-- <br clear="none">Remi Gacogne<br clear="none">PowerDNS.COM BV - <a shape="rect" href="https://www.powerdns.com/" rel="nofollow" target="_blank">https://www.powerdns.com/</a><div class="ydp209fa65ayqt5245805324" id="ydp209fa65ayqtfd57343"><br clear="none"></div></div>_______________________________________________<br clear="none">Pdns-users mailing list<br clear="none"><a shape="rect" href="mailto:Pdns-users@mailman.powerdns.com" rel="nofollow" target="_blank">Pdns-users@mailman.powerdns.com</a><br clear="none"><a shape="rect" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="nofollow" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><div class="ydp209fa65ayqt5245805324" id="ydp209fa65ayqtfd44686"><br clear="none"></div></div></div></div></div></body></html>