[Pdns-users] pdns recursor edns-client-subnet caching problems

Shawn Zhou shawnzhou00 at yahoo.com
Wed Aug 2 22:04:24 UTC 2017


I don't think that's the right behavior. If Client Subnet scope set to 0, resolver should not cache it.unbound DNS gives me the expected output as it cache has different entries for different client subnet. Why is pdns recursor's implementation different?
root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30374
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3600    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86400    IN    NS    ns2.insnw.net.
insnw.net.        86400    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86400    IN    A    192.33.29.21
ns2.insnw.net.        86400    IN    A    192.33.29.22

;; Query time: 38 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:39 GMT 2017
;; MSG SIZE  rcvd: 177

root at DFW01-CPS02:~# dig @localhost morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15379
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3600    IN    CNAME    ins-091.inscname.net.
ins-091.inscname.net.    3600    IN    CNAME    a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net.    3600    IN    A    192.33.31.183

;; AUTHORITY SECTION:
insnw.net.        86382    IN    NS    ns2.insnw.net.
insnw.net.        86382    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86382    IN    A    192.33.29.21
ns2.insnw.net.        86382    IN    A    192.33.29.22

;; Query time: 133 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:57:57 GMT 2017
;; MSG SIZE  rcvd: 191

root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16040
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3578    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 578    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86378    IN    NS    ns2.insnw.net.
insnw.net.        86378    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86378    IN    A    192.33.29.21
ns2.insnw.net.        86378    IN    A    192.33.29.22

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:58:01 GMT 2017
;; MSG SIZE  rcvd: 177

root at DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3792
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3600    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86400    IN    NS    ns2.insnw.net.
insnw.net.        86400    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86400    IN    A    192.33.29.21
ns2.insnw.net.        86400    IN    A    192.33.29.22

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:08 GMT 2017
;; MSG SIZE  rcvd: 177

root at DFW01-CPS02:~# dig @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=35.156.66.126 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53600
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 35.156.66.126/32/14
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3593    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 593    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86393    IN    NS    ns2.insnw.net.
insnw.net.        86393    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86393    IN    A    192.33.29.21
ns2.insnw.net.        86393    IN    A    192.33.29.22

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:15 GMT 2017
;; MSG SIZE  rcvd: 177

root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21641
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3501    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 501    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86301    IN    NS    ns2.insnw.net.
insnw.net.        86301    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86301    IN    A    192.33.29.21
ns2.insnw.net.        86301    IN    A    192.33.29.22

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 21:59:18 GMT 2017
;; MSG SIZE  rcvd: 177

root at DFW01-CPS02:~# dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12099
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b537fab859d0a708de980e0b59824b5bf67f0190c854a967 (good)
; CLIENT-SUBNET: 127.0.0.1/32/0
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3600    IN    CNAME    ins-091.inscname.net.
ins-091.inscname.net.    3600    IN    CNAME    a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net.    3600    IN    A    192.33.31.183

;; AUTHORITY SECTION:
insnw.net.        86400    IN    NS    ns2.insnw.net.
insnw.net.        86400    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86400    IN    A    192.33.29.21
ns2.insnw.net.        86400    IN    A    192.33.29.22

;; Query time: 0 msec
;; SERVER: 192.33.29.21#53(192.33.29.21)
;; WHEN: Wed Aug 02 21:59:55 GMT 2017
;; MSG SIZE  rcvd: 231

root at DFW01-CPS02:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net

; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10178
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net.        IN    A

;; ANSWER SECTION:
morpheus-ien.insnw.net.    3459    IN    CNAME    ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 459    IN    A    35.156.66.126

;; AUTHORITY SECTION:
insnw.net.        86259    IN    NS    ns2.insnw.net.
insnw.net.        86259    IN    NS    ns1.insnw.net.

;; ADDITIONAL SECTION:
ns1.insnw.net.        86259    IN    A    192.33.29.21
ns2.insnw.net.        86259    IN    A    192.33.29.22

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 02 22:00:00 GMT 2017
;; MSG SIZE  rcvd: 177

On Wednesday, August 2, 2017, 2:02:43 AM PDT, Remi Gacogne <remi.gacogne at powerdns.com> wrote:

Hi Shawn,

On 08/02/2017 08:47 AM, Shawn Zhou wrote:
> Sorry. I meant the authoritative nameserver did respond with the correct answer. 

The authoritative server answers with a EDNS Client Subnet scope set to
0 when we send a query with a source set to 127.0.0.1/32, meaning that
we can cache the answer and use it for any source:

$ dig @ns1.insnw.net +subnet=127.0.0.1 morpheus-ien.insnw.net

; <<>> DiG 9.11.2 <<>> @ns1.insnw.net +subnet=127.0.0.1
morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41118
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b560d095f78df047eb13a9a85981941eb2b38c5376e87bb2 (good)
; CLIENT-SUBNET: 127.0.0.1/32/0
[...]

Once this answer is in our cache, we will use it until it expires and
won't look for most specific answers, regardless of the ECS value of the
query.

-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170802/d6fd1da0/attachment-0001.html>


More information about the Pdns-users mailing list