Maintained by: NLnet Labs

[Unbound-users] Old or incorrect information returned?

Haw Loeung
Fri Nov 6 13:44:53 CET 2009


On Fri, Nov 6th, 2009 at 6:30 PM, "W.C.A. Wijngaards" <wouter at NLnetLabs.nl> wrote:
> The TTL on the A record seems to be originally 86400 (24h).
> Thus if unbound sees the record just before it is changed, the
> old data stays around for 24 hours.  Unbound has a builtin
> cap that bounds this caching on a 24 hour term (by coincidence
> exactly the same value as the TTL on spre.com.au).  You see
> it with a 5h ttl, so, unbound saw it 19h before.  This is
> exactly according to DNS spec.
> 

But the NS records returned are still that of the old hosting providers. Let me try and explain it 
better.

For both domains, they have changed hosting providers and have redelegated their domains to the 
new providers. They are not our customers but have noticed that our users are having problems 
accessing their website because our resolvers are still returning old, and incorrect, information so 
therefore our users are not hitting their new webservers.

They then contact us asking why this is the case and complain that other ISPs are returning the 
new, and _correct_, information about their domain.

Our staff member does a dig, then waits a day making sure that the TTL reaches 0 and our 
resolvers *should* lookup the latest information. But somewhere it is caching old NS records.

So for supre.com.au, it has already been delegated away to hyperservers.com.au and 
cpanelhost.net.au as shown below:

=====
$ dig any supre.com.au @UDNS1.AUSREGISTRY.NET.au.

; <<>> DiG 9.6.1 <<>> any supre.com.au @UDNS1.AUSREGISTRY.NET.au.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2437
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;supre.com.au.                  IN      ANY

;; AUTHORITY SECTION:
supre.com.au.           14400   IN      NS      ns2.hyperservers.com.au.
supre.com.au.           14400   IN      NS      ns2.cpanelhost.net.au.
supre.com.au.           14400   IN      NS      ns1.hyperservers.com.au.
supre.com.au.           14400   IN      NS      ns1.cpanelhost.net.au.

;; ADDITIONAL SECTION:
ns1.hyperservers.com.au. 14400  IN      A       114.111.144.211
ns2.hyperservers.com.au. 14400  IN      A       114.111.144.212

;; Query time: 160 msec
;; SERVER: 156.154.100.18#53(156.154.100.18)
;; WHEN: Fri Nov  6 23:39:02 2009
;; MSG SIZE  rcvd: 162
=====


But the dig results I provided previously shows something different.


> If you want things in unbound cache to be flushed out earlier
> than the owner intended, you can set cache-max-ttl: 86400
> to a lower value instead of restarting every day.
> 

I had lowered this value previously and still received reports about other domains.


> It could also be a bug where due to a miscalculation inside
> the resolver the TTL becomes -1 (or infinite), but although
> such a bug is fixed recently (in svn trunk) for DNSSEC bogus
> messages, my guess is you are not DNSSEC validating.
> 

Yeah, we're not doing DNSSEC validation just yet (that's on our TODO list). We've had this problem 
with other domains and so I tried using revision 1853.

=====
$ svn info
Path: .
URL: http://unbound.nlnetlabs.nl/svn/trunk
Repository Root: http://unbound.nlnetlabs.nl/svn
Repository UUID: be551aaa-1e26-0410-a405-d3ace91eadb9
Revision: 1853
Node Kind: directory
Schedule: normal
Last Changed Author: wouter
Last Changed Rev: 1853
Last Changed Date: 2009-09-26 01:20:29 +1000 (Sat, 26 Sep 2009)
======

-- 
Haw Loeung
Systems Administrator
TPG Internet
http://www.tpg.com.au
________________________________________________________________
_______