<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:medium;"><div><div>Your explanation makes sense but that still doesn't explain the original problems I see with pdns. see [1]. When pdns received the response for the 1st query, it should have a cache entry for scope prefix-length of 16 (btw, why don't I have that information when I dig against pdns?). When the 2nd query was fired against pdns, it recurses and get a response. Shouldn't it has a different cache entry as there is no edns client in the lookup so there is no scope prefix-length return at all? The 3rd query should've returned the same IP as the 1st query as subnet provided was the same.</div></div><div><br></div><div>The cache implementation with edns client subnet for unbound dns works fine. see [2]. </div><div>This seems to me it's a bug with pdns recursor.</div><div><br></div><div><br></div><div><br></div><div>[1]</div><div>root@DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8129<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; Query time: 149 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:25:33 GMT 2017<br>;; MSG SIZE rcvd: 97<br><br>root@DFW01-CPS01:~# dig @localhost morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55653<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183<br><br>;; Query time: 35 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:25:46 GMT 2017<br>;; MSG SIZE rcvd: 123<br><br>root@DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (2 servers found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5744<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3589 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3589 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3589 IN A 192.33.31.183<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:25:57 GMT 2017<br>;; MSG SIZE rcvd: 123<br></div><div><br></div><div><br></div><div>[2]</div><div><br></div><div>root@PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11487<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86400 IN NS ns1.insnw.net.<br>insnw.net. 86400 IN NS ns2.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86400 IN A 192.33.29.21<br>ns2.insnw.net. 86400 IN A 192.33.29.22<br><br>;; Query time: 1679 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:26:37 GMT 2017<br>;; MSG SIZE rcvd: 177<br><br>root@PAO03-ACCEL03:~# dig @localhost morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P2 <<>> @localhost morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8120<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.<br>ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.<br>a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86391 IN NS ns1.insnw.net.<br>insnw.net. 86391 IN NS ns2.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86390 IN A 192.33.29.21<br>ns2.insnw.net. 86390 IN A 192.33.29.22<br><br>;; Query time: 5 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:26:47 GMT 2017<br>;; MSG SIZE rcvd: 191<br><br>root@PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br><br>; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49704<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; CLIENT-SUBNET: 52.57.28.138/32/16<br>;; QUESTION SECTION:<br>;morpheus-ien.insnw.net. IN A<br><br>;; ANSWER SECTION:<br>morpheus-ien.insnw.net. 3581 IN CNAME ien01-fra02.svc.insnw.net.<br>ien01-fra02.svc.insnw.net. 581 IN A 35.156.66.126<br><br>;; AUTHORITY SECTION:<br>insnw.net. 86381 IN NS ns1.insnw.net.<br>insnw.net. 86381 IN NS ns2.insnw.net.<br><br>;; ADDITIONAL SECTION:<br>ns1.insnw.net. 86381 IN A 192.33.29.21<br>ns2.insnw.net. 86381 IN A 192.33.29.22<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Aug 03 17:26:56 GMT 2017<br>;; MSG SIZE rcvd: 177<br></div><div><br></div><hr><div id="ydpc7d0cb52yahoo_quoted_2237653686" class="ydpc7d0cb52yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div>On Thursday, August 3, 2017, 1:21:47 AM PDT, Remi Gacogne <remi.gacogne@powerdns.com> wrote:</div><div><br></div><div><br></div><div><div dir="ltr">On 08/03/2017 12:04 AM, Shawn Zhou wrote:<br clear="none">> I don't think that's the right behavior. If Client Subnet scope set to<br clear="none">> 0, resolver should not cache it.<br clear="none">> unbound DNS gives me the expected output as it cache has different<br clear="none">> entries for different client subnet. Why is pdns recursor's<br clear="none">> implementation different?<br clear="none"><br clear="none">rfc7871 states that a Client Subnet scope set to 0 should be cached and<br clear="none">is suitable for all networks in section 7.3.1:<br clear="none"><br clear="none"> Records that are cached as /0 because of a query's SOURCE PREFIX-<br clear="none"> LENGTH of 0 MUST be distinguished from those that are cached as /0<br clear="none"> because of a response's SCOPE PREFIX-LENGTH of 0. The former should<br clear="none"> only be used for other /0 queries that the Intermediate Resolver<br clear="none"> receives, but the latter is suitable as a response for all networks.<br clear="none"><br clear="none">It also hints so in section 7.3:<br clear="none"><br clear="none"> If no ECS option is contained in the response, the Intermediate<br clear="none"> Nameserver SHOULD treat this as being equivalent to having received a<br clear="none"> SCOPE PREFIX-LENGTH of 0, which is an answer suitable for all client<br clear="none"> addresses.<br clear="none"><br clear="none">Section 11.2 also states:<br clear="none"><br clear="none"> [...] to send a matching response with SCOPE<br clear="none"> PREFIX-LENGTH set to 0 to get it cached for all hosts.<br clear="none"><br clear="none"><br clear="none">I might of course be mistaken, but it seems to me that we are currently<br clear="none">doing the right thing.<div class="ydpc7d0cb52yqt5870069808" id="ydpc7d0cb52yqtfd49333"><br clear="none"><br clear="none">-- <br clear="none">Remi Gacogne<br clear="none">PowerDNS.COM BV - <a shape="rect" href="https://www.powerdns.com/" rel="nofollow" target="_blank">https://www.powerdns.com/</a><br clear="none"></div></div><div class="ydpc7d0cb52yqt5870069808" id="ydpc7d0cb52yqtfd65225">_______________________________________________<br clear="none">Pdns-users mailing list<br clear="none"><a shape="rect" href="mailto:Pdns-users@mailman.powerdns.com" rel="nofollow" target="_blank">Pdns-users@mailman.powerdns.com</a><br clear="none"><a shape="rect" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users" rel="nofollow" target="_blank">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br clear="none"></div></div></div></div></div></body></html>