[dns-operations] EDNS client-subnet best practice?
Petr Špaček
petr.spacek at nic.cz
Wed Jun 3 13:52:26 UTC 2020
On 03. 06. 20 14:44, Chris Adams wrote:
> What is considered current best practice for recursive servers on
> enabling EDNS client-subnet?
>
> I ask because I have a couple of recursive DNS servers at an independent
> telephone company that are getting different answers for a certain large
> website. The servers are in the same subnet, but one gets an IP
> apparently in another country, while the other gets an IP in a nearby
> state. The servers are configured identically (CentOS 7 with Unbound).
>
> I emailed the website's NOC, and their response was that the issue was
> that "Most likely the issue is due to EDNS not being turned on with your
> DNS server." I assume they were talking about EDNS client-subnet
> (because they then gave an example dig with +subnet set).
>
> These servers are not configured to send client-subnet to anybody
> (pretty much default Unbound config). They aren't serving clients from
> outside the AS - I generally think of client-subnet as something you'd
> use on a DNS server with a wide range of clients. Is it expected that I
> should be enabling EDNS client-subnet on recursive servers?
>
> I do have some recursive servers that have a large set of clients (where
> client-subnet might be useful) - should I just enable it for all
> requests? In Unbound terms, enable "client-subnet-always-forward"?
In my view ECS is only useful if routing paths between:
a) resolver & Internet
b) client sending query to resolver & Internet
are different.
Netmasks in Unbound's max-client-subnet-ipv4/6 would ideally be as short as possible to cover just the prefix where causes the routing to differ and nothing more.
As for client-subnet-always-forward... I do not understand what the manual attempts to say :-/
--
Petr Špaček @ CZ.NIC
More information about the dns-operations
mailing list