-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chris, I notice that the servers for 2.112.119.209.in-addr.arpa. are recursion-lame. They are not authoritative, but recursive for that zone. This is why unbound refuses to accept the answer, and tries other servers. However, the servers are identical. The servers are also open recursors. As for the run time, that could be because you have a freshly started unbound, with an empty cache. That means it has to spend time to fetch com, org, root data. I tested quickly, empty cache + query for www.google.com and google.org, then www.xo.com and it takes 250 msec only (twice as fast as your number), although that could be just luck. I am prepared to make fallback code that handles 'all servers are recursive instead of authoritative'-error, and send a +RD(recursion desired) query there, but only as a last resort. It is unsafe you see, that caching recursive server may have been cache poisoned. Thank you for the detailed error report. Best regards, Wouter Chris Smith wrote: > Hello, > > New to the list and running unbound svn rev 1281. > > With unbound I'm not able to successfully resolve a particular IP address and > the query times are very long compared to bind. Also dig's "+trace" does not > appear to work from systems on my lan. > ===================================================================== > BIND: > ===================================================================== > davinci ~ # dig www.xo.com > > ; <<>> DiG 9.5.0-P2 <<>> www.xo.com > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10842 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;www.xo.com. IN A > > ;; ANSWER SECTION: > www.xo.com. 10800 IN A 205.158.160.76 > > ;; AUTHORITY SECTION: > . 517541 IN NS E.ROOT-SERVERS.NET. > . 517541 IN NS H.ROOT-SERVERS.NET. > . 517541 IN NS A.ROOT-SERVERS.NET. > . 517541 IN NS J.ROOT-SERVERS.NET. > . 517541 IN NS F.ROOT-SERVERS.NET. > . 517541 IN NS M.ROOT-SERVERS.NET. > . 517541 IN NS L.ROOT-SERVERS.NET. > . 517541 IN NS K.ROOT-SERVERS.NET. > . 517541 IN NS G.ROOT-SERVERS.NET. > . 517541 IN NS D.ROOT-SERVERS.NET. > . 517541 IN NS B.ROOT-SERVERS.NET. > . 517541 IN NS C.ROOT-SERVERS.NET. > . 517541 IN NS I.ROOT-SERVERS.NET. > > ;; Query time: 96 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:19:18 2008 > ;; MSG SIZE rcvd: 255 > > davinci ~ # dig -x 205.158.160.76 > > ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38857 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;76.160.158.205.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 76.160.158.205.in-addr.arpa. 43200 IN PTR xonlbvip.pla.dc.xo.com. > > ;; AUTHORITY SECTION: > . 517534 IN NS M.ROOT-SERVERS.NET. > . 517534 IN NS K.ROOT-SERVERS.NET. > . 517534 IN NS H.ROOT-SERVERS.NET. > . 517534 IN NS A.ROOT-SERVERS.NET. > . 517534 IN NS E.ROOT-SERVERS.NET. > . 517534 IN NS D.ROOT-SERVERS.NET. > . 517534 IN NS B.ROOT-SERVERS.NET. > . 517534 IN NS J.ROOT-SERVERS.NET. > . 517534 IN NS I.ROOT-SERVERS.NET. > . 517534 IN NS F.ROOT-SERVERS.NET. > . 517534 IN NS C.ROOT-SERVERS.NET. > . 517534 IN NS G.ROOT-SERVERS.NET. > . 517534 IN NS L.ROOT-SERVERS.NET. > > ;; Query time: 69 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:19:25 2008 > ;; MSG SIZE rcvd: 292 > > davinci ~ # dig -x 209.119.112.2 > > ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;2.112.119.209.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 2.112.119.209.in-addr.arpa. 10800 IN PTR smtp.hq.theauditors.com. > > ;; AUTHORITY SECTION: > . 517521 IN NS D.ROOT-SERVERS.NET. > . 517521 IN NS B.ROOT-SERVERS.NET. > . 517521 IN NS C.ROOT-SERVERS.NET. > . 517521 IN NS A.ROOT-SERVERS.NET. > . 517521 IN NS M.ROOT-SERVERS.NET. > . 517521 IN NS K.ROOT-SERVERS.NET. > . 517521 IN NS L.ROOT-SERVERS.NET. > . 517521 IN NS E.ROOT-SERVERS.NET. > . 517521 IN NS I.ROOT-SERVERS.NET. > . 517521 IN NS J.ROOT-SERVERS.NET. > . 517521 IN NS F.ROOT-SERVERS.NET. > . 517521 IN NS G.ROOT-SERVERS.NET. > . 517521 IN NS H.ROOT-SERVERS.NET. > > ;; Query time: 63 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:19:38 2008 > ;; MSG SIZE rcvd: 292 > ===================================================================== > UNBOUND-SVN revision 1281: > ===================================================================== > davinci ~ # dig www.xo.com > > ; <<>> DiG 9.5.0-P2 <<>> www.xo.com > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20202 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;www.xo.com. IN A > > ;; ANSWER SECTION: > www.xo.com. 10800 IN A 205.158.160.76 > > ;; AUTHORITY SECTION: > xo.com. 10800 IN NS ns2.xo.com. > xo.com. 10800 IN NS ns3.xo.com. > xo.com. 10800 IN NS ns1.xo.com. > > ;; ADDITIONAL SECTION: > ns1.xo.com. 10800 IN A 207.155.248.16 > ns2.xo.com. 10800 IN A 207.155.252.16 > ns3.xo.com. 10800 IN A 207.88.20.31 > > ;; Query time: 562 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:19:55 2008 > ;; MSG SIZE rcvd: 146 > > davinci ~ # dig -x 205.158.160.76 > > ; <<>> DiG 9.5.0-P2 <<>> -x 205.158.160.76 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28887 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;76.160.158.205.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 76.160.158.205.in-addr.arpa. 43200 IN PTR xonlbvip.pla.dc.xo.com. > > ;; AUTHORITY SECTION: > 160.158.205.in-addr.arpa. 43200 IN NS nameserver.concentric.net. > 160.158.205.in-addr.arpa. 43200 IN NS nameserver1.concentric.net. > 160.158.205.in-addr.arpa. 43200 IN NS nameserver2.concentric.net. > 160.158.205.in-addr.arpa. 43200 IN NS nameserver3.concentric.net. > 160.158.205.in-addr.arpa. 10800 IN NS ns1.pla.dc.xo.com. > 160.158.205.in-addr.arpa. 43200 IN NS ns1.pla.dc.xo.com. > > ;; Query time: 731 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:20:06 2008 > ;; MSG SIZE rcvd: 230 > > davinci ~ # dig -x 209.119.112.2 > > ; <<>> DiG 9.5.0-P2 <<>> -x 209.119.112.2 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62990 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;2.112.119.209.in-addr.arpa. IN PTR > > ;; Query time: 765 msec > ;; SERVER: 192.168.107.4#53(192.168.107.4) > ;; WHEN: Fri Oct 3 10:20:17 2008 > ;; MSG SIZE rcvd: 44 > ===================================================================== > > Notice that "dig -x 209.119.112.2" receives no answer when using unbound. > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjnMYsACgkQkDLqNwOhpPjA7ACfckD4TmNQXunRnu3ekuGuYpGx OwMAnjZy1o1cVkx8RogHXJEzuryQrPqt =WGC2 -----END PGP SIGNATURE-----