[prev in list] [next in list] [prev in thread] [next in thread] 

List:       unbound-users
Subject:    Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)
From:       "A. Schulze via Unbound-users" <unbound-users () unbound ! net>
Date:       2017-04-24 12:06:03
Message-ID: 20170424140603.Horde.XQlIEpw1QMthPpnzG5ab47l () andreasschulze ! de
[Download RAW message or body]


Ralph Dolmans via Unbound-users:

> Are you sure you are not looking at subqueries generated by Unbound,
> like root priming queries or queries for the DNSKEY? We do not add ECS
> data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)

and, surprise:
the data aren't unknown to wireshark :-)

> I do not think we should document the any address case. Sending (privacy
> sensitive) ECS data to all nameservers does not sound like a wise thing
> to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.

Other question (man 5 unbound.conf)

   ... When an answer contains the ECS option the response and the
   option are placed in a specialized cache.

I read it as
   unbound send a query + ECS option to a nameserver. The response  
from the nameserver
   contain also a ECS option to indicate support. unbound place the  
answer in a separate cache.

-> correct? -> why a separate cache?

thanks for your patience,
Andreas


[prev in list] [next in list] [prev in thread] [next in thread]