[Pdns-users] pdns recursor edns-client-subnet caching problems
Shawn Zhou
shawnzhou00 at yahoo.com
Wed Aug 2 22:04:24 UTC 2017
I don't think that's the right behavior. If Client Subnet scope set to 0, resolver should not cache it.unbound DNS gives me the expected output as it cache has different entries for different client subnet. Why is pdns recursor's implementation different?
root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30374
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86400 IN NS ns2.insnw.net.
insnw.net. 86400 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86400 IN A 192.33.29.21
ns2.insnw.net. 86400 IN A 192.33.29.22
;; Query time: 38 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:39 GMT 2017
;; MSG SIZE rcvd: 177
root at DFW01-CPS02:~# dig @localhost morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15379
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183
;; AUTHORITY SECTION:
insnw.net. 86382 IN NS ns2.insnw.net.
insnw.net. 86382 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86382 IN A 192.33.29.21
ns2.insnw.net. 86382 IN A 192.33.29.22
;; Query time: 133 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:57 GMT 2017
;; MSG SIZE rcvd: 191
root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16040
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3578 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 578 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86378 IN NS ns2.insnw.net.
insnw.net. 86378 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86378 IN A 192.33.29.21
ns2.insnw.net. 86378 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:58:01 GMT 2017
;; MSG SIZE rcvd: 177
root at DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3792
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86400 IN NS ns2.insnw.net.
insnw.net. 86400 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86400 IN A 192.33.29.21
ns2.insnw.net. 86400 IN A 192.33.29.22
;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:08 GMT 2017
;; MSG SIZE rcvd: 177
root at DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53600
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3593 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 593 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86393 IN NS ns2.insnw.net.
insnw.net. 86393 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86393 IN A 192.33.29.21
ns2.insnw.net. 86393 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:15 GMT 2017
;; MSG SIZE rcvd: 177
root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21641
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3501 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 501 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86301 IN NS ns2.insnw.net.
insnw.net. 86301 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86301 IN A 192.33.29.21
ns2.insnw.net. 86301 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:18 GMT 2017
;; MSG SIZE rcvd: 177
root at DFW01-CPS02:~# dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12099
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b537fab859d0a708de980e0b59824b5bf67f0190c854a967 (good)
; CLIENT-SUBNET: 127.0.0.1/32/0
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183
;; AUTHORITY SECTION:
insnw.net. 86400 IN NS ns2.insnw.net.
insnw.net. 86400 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86400 IN A 192.33.29.21
ns2.insnw.net. 86400 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: 192.33.29.21#53(192.33.29.21)
;; WHEN: Wed Aug 02 21:59:55 GMT 2017
;; MSG SIZE rcvd: 231
root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10178
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3459 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 459 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86259 IN NS ns2.insnw.net.
insnw.net. 86259 IN NS ns1.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86259 IN A 192.33.29.21
ns2.insnw.net. 86259 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 22:00:00 GMT 2017
;; MSG SIZE rcvd: 177
On Wednesday, August 2, 2017, 2:02:43 AM PDT, Remi Gacogne <remi.gacogne at powerdns.com> wrote:
Hi Shawn,
On 08/02/2017 08:47 AM, Shawn Zhou wrote:
> Sorry. I meant the authoritative nameserver did respond with the correct answer.
The authoritative server answers with a EDNS Client Subnet scope set to
0 when we send a query with a source set to 127.0.0.1/32, meaning that
we can cache the answer and use it for any source:
$ dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net
; <<>> DiG 9.11.2 <<>> @ns1.insnw.net +subnet=127.0.0.1
morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41118
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b560d095f78df047eb13a9a85981941eb2b38c5376e87bb2 (good)
; CLIENT-SUBNET: 127.0.0.1/32/0
[...]
Once this answer is in our cache, we will use it until it expires and
won't look for most specific answers, regardless of the ECS value of the
query.
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170802/d6fd1da0/attachment-0001.html>
More information about the Pdns-users
mailing list