I'm using cake on my debian 11 router and I decided to switch from best_effort to diffserv4 and follow The Ultimate guide here.
Everything seems to be ok, tc qdisc shows traffic being tunneled through different tins, and iptables is doing its job.
However there's one thing I couldn't implement so far: the automatic update of ipsets, since my router doesn't have dnsmasq, but bind9.
Is there a way of adding ips to the ipset the way dnsmasq-full does using bind9?
WAN <---> Debian router <---> Openwrt WiFi Ap/LAN switch <---> computers
EDIT: I don't want to install dnsmasq on the debian router because I have already a bunch of domains setup in bind9.
EDIT 2: Sorry if I sound off topic. I know I am, since I'm asking this for a debian router, not a openwrt one. The thing is that this forum is the only place I know where bufferbloat and cake related stuff is actively discussed for a broader audience. I tried joining the cake mailing list following advice from someone here on the forum, but that is high-level discussion for developers only, and the only question I asked there was not answered (which I perfectly understand). I hope you guys consider this.
Do you depend on using bind9 as the DNS resolver? Otherwise you may be able to use bind9 as authoritative DNS server and dnsmasq as recursive DNS resolver.
I made some readings  to understand what you've suggested and I think that is doable.
In fact, bind9 as it is now in my router is acting either as authoritative and as a resolver.
Now, I'm hesitating in activating dnsmasq on openwrt or in another debian server I have, for the sake of resource availabilty, since this second server is more powerful than the Archer C7 where openwrt is installed...
Thanks for pointing me into this direction.
 https://www.digitalocean.com/community/tutorials/a-comparison-of-dns-server-types-how-to-choose-the-right-dns-configuration and also linked articles.
Just a follow-up.
I installed dnsmasq on the second debian server, so now I have an authoritative dns for the domain services on the debian router and a forward dns server on the other debian server.
Now I can get "dynamic" ipsets, updated by dnsmasq according to the settings in dnsmasq.conf.
Then I run a script (cron) that saves the ipsets on the dnsmasq server and another script (cron) that updates the ipsets on the router, so that iptables can mark traffic and cake do its job.