[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)
From: "A. Schulze via Unbound-users" <unbound-users () unbound ! net>
Date: 2017-04-24 12:06:03
Message-ID: 20170424140603.Horde.XQlIEpw1QMthPpnzG5ab47l () andreasschulze ! de
[Download RAW message or body]
Ralph Dolmans via Unbound-users:
> Are you sure you are not looking at subqueries generated by Unbound,
> like root priming queries or queries for the DNSKEY? We do not add ECS
> data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)
and, surprise:
the data aren't unknown to wireshark :-)
> I do not think we should document the any address case. Sending (privacy
> sensitive) ECS data to all nameservers does not sound like a wise thing
> to do.
isn't it better to document a security pitfall then let user tap in?
At least the doc may explicit mention the security impact.
Other question (man 5 unbound.conf)
... When an answer contains the ECS option the response and the
option are placed in a specialized cache.
I read it as
unbound send a query + ECS option to a nameserver. The response
from the nameserver
contain also a ECS option to indicate support. unbound place the
answer in a separate cache.
-> correct? -> why a separate cache?
thanks for your patience,
Andreas
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic