[dns-operations] bind + client-subnet
dnsops_x730df7439 at spamfaenger.f-streibelt.de
Tue Aug 13 15:43:39 UTC 2013
Am Di, 13.08.13 um 08:23:47 Uhr
schrieb Paul Vixie <paul at redbarn.org>:
> Evan Hunt wrote:
> >> but how to implement that? since local DNS server always has caching.
> > Yes, this is why I said it would be a big job to implement it in BIND. It
> > becomes necessary to cache multiple different answers to the same question.
> that's why it's controversial. it's effectively an expansion of the Q-Tuple.
IMHO it's more than just a simple expansion as the decision if its a hit is a bit fuzzy.
For each client request you have to check if the client IP is part of any scope in question and you have to order the checks in case you receive overlapping scopes from the upstream.
During my experiments I noticed e.g. for one IP to receive /15 as scope and for the next address (IP+1) to receive a /14.
This makes it hard to reproduce results, e.g. when debugging, and takes away even more transparency from DNS.
More information about the dns-operations