[Pdns-users] pdns recursor edns-client-subnet caching problems
Shawn Zhou
shawnzhou00 at yahoo.com
Thu Aug 3 17:38:35 UTC 2017
Your explanation makes sense but that still doesn't explain the original problems I see with pdns. see [1]. When pdns received the response for the 1st query, it should have a cache entry for scope prefix-length of 16 (btw, why don't I have that information when I dig against pdns?). When the 2nd query was fired against pdns, it recurses and get a response. Shouldn't it has a different cache entry as there is no edns client in the lookup so there is no scope prefix-length return at all? The 3rd query should've returned the same IP as the 1st query as subnet provided was the same.
The cache implementation with edns client subnet for unbound dns works fine. see [2]. This seems to me it's a bug with pdns recursor.
[1]root at DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8129
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; Query time: 149 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:25:33 GMT 2017
;; MSG SIZE rcvd: 97
root at DFW01-CPS01:~# dig @localhost morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55653
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183
;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:25:46 GMT 2017
;; MSG SIZE rcvd: 123
root at DFW01-CPS01:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P3 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5744
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3589 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3589 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3589 IN A 192.33.31.183
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:25:57 GMT 2017
;; MSG SIZE rcvd: 123
[2]
root at PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11487
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 600 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86400 IN NS ns1.insnw.net.
insnw.net. 86400 IN NS ns2.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86400 IN A 192.33.29.21
ns2.insnw.net. 86400 IN A 192.33.29.22
;; Query time: 1679 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:26:37 GMT 2017
;; MSG SIZE rcvd: 177
root at PAO03-ACCEL03:~# dig @localhost morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P2 <<>> @localhost morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8120
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3600 IN CNAME ins-091.inscname.net.
ins-091.inscname.net. 3600 IN CNAME a-sg08sl07.insnw.net.
a-sg08sl07.insnw.net. 3600 IN A 192.33.31.183
;; AUTHORITY SECTION:
insnw.net. 86391 IN NS ns1.insnw.net.
insnw.net. 86391 IN NS ns2.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86390 IN A 192.33.29.21
ns2.insnw.net. 86390 IN A 192.33.29.22
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:26:47 GMT 2017
;; MSG SIZE rcvd: 191
root at PAO03-ACCEL03:~# dig @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; <<>> DiG 9.11.0-P2 <<>> @localhost +subnet=52.57.28.138 morpheus-ien.insnw.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49704
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 52.57.28.138/32/16
;; QUESTION SECTION:
;morpheus-ien.insnw.net. IN A
;; ANSWER SECTION:
morpheus-ien.insnw.net. 3581 IN CNAME ien01-fra02.svc.insnw.net.
ien01-fra02.svc.insnw.net. 581 IN A 35.156.66.126
;; AUTHORITY SECTION:
insnw.net. 86381 IN NS ns1.insnw.net.
insnw.net. 86381 IN NS ns2.insnw.net.
;; ADDITIONAL SECTION:
ns1.insnw.net. 86381 IN A 192.33.29.21
ns2.insnw.net. 86381 IN A 192.33.29.22
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 03 17:26:56 GMT 2017
;; MSG SIZE rcvd: 177
On Thursday, August 3, 2017, 1:21:47 AM PDT, Remi Gacogne <remi.gacogne at powerdns.com> wrote:
On 08/03/2017 12:04 AM, Shawn Zhou wrote:
> I don't think that's the right behavior. If Client Subnet scope set to
> 0, resolver should not cache it.
> unbound DNS gives me the expected output as it cache has different
> entries for different client subnet. Why is pdns recursor's
> implementation different?
rfc7871 states that a Client Subnet scope set to 0 should be cached and
is suitable for all networks in section 7.3.1:
Records that are cached as /0 because of a query's SOURCE PREFIX-
LENGTH of 0 MUST be distinguished from those that are cached as /0
because of a response's SCOPE PREFIX-LENGTH of 0. The former should
only be used for other /0 queries that the Intermediate Resolver
receives, but the latter is suitable as a response for all networks.
It also hints so in section 7.3:
If no ECS option is contained in the response, the Intermediate
Nameserver SHOULD treat this as being equivalent to having received a
SCOPE PREFIX-LENGTH of 0, which is an answer suitable for all client
addresses.
Section 11.2 also states:
[...] to send a matching response with SCOPE
PREFIX-LENGTH set to 0 to get it cached for all hosts.
I might of course be mistaken, but it seems to me that we are currently
doing the right thing.
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170803/6ebdf0c2/attachment.html>
More information about the Pdns-users
mailing list