Maintained by: NLnet Labs

[Unbound-users] bug ? atleast a difference in behaviour

Leen Besselink
Sun Sep 6 11:23:14 CEST 2009


Hi,

The following domains are 'down':
nmap.org
insecure.org

And I noticed a Unbound has different behaviour then I'm used to.

It seems the nameservers for those domains: ns1.titan.net. [64.13.134.58] and ns2.titan.net. [64.13.134.59] don't respond to questions about those domains.

And I noticed a difference in behaviour in Unbound 1.3 in comparison with Unbound 1.2 forwarding to 2 PowerDNS-recursors.

Unbound 1.3 is operating on OpenBSD 4.5, linked libs: event internal, ldns 1.6.0_20090602, OpenSSL 0.9.8j 07 Jan 2009, linked modules: validator iterator
Unbound 1.2 is operating on OpenBSD 4.4, linked libs: event internal, ldns 1.6.0_20090602, OpenSSL 0.9.8j 07 Jan 2009, linked modules: validator iterator

The first one is operating on it's own, the second is forwarding it's queries to 2 PowerDNS-recursors and is hardly ever used, just for internal DNS.

This works:

When I sent the Unbound 1.2 (which forwards to PowerDNS) the following request:

$ dig nmap.org ns | grep IN
;nmap.org.                      IN      NS
nmap.org.               85325   IN      NS      ns1.titan.net.
nmap.org.               85325   IN      NS      ns2.titan.net.
ns1.titan.net.          171725  IN      A       64.13.134.58
ns2.titan.net.          171725  IN      A       64.13.134.59

When I sent the same request to Unbound 1.3, I get no answer, at all.

This is not just because the PowerDNS-recursors still those nameservers in cache, because:

$ dig +short org ns
c0.org.afilias-nst.info.
a2.org.afilias-nst.info.
d0.org.afilias-nst.org.
a0.org.afilias-nst.info.
b2.org.afilias-nst.org.
b0.org.afilias-nst.org.

$ dig +norec @c0.org.afilias-nst.info. nmap.org ns | grep IN
;nmap.org.                      IN      NS
nmap.org.               86400   IN      NS      ns2.titan.net.
nmap.org.               86400   IN      NS      ns1.titan.net.

$ dig +short net ns
l.gtld-servers.net.
j.gtld-servers.net.
c.gtld-servers.net.
k.gtld-servers.net.
e.gtld-servers.net.
i.gtld-servers.net.
b.gtld-servers.net.
d.gtld-servers.net.
g.gtld-servers.net.
m.gtld-servers.net.
a.gtld-servers.net.
h.gtld-servers.net.
f.gtld-servers.net.


$ dig +short +norec @l.gtld-servers.net. ns2.titan.net.
64.13.134.59

Hope this was helpful.

Have a nice day,
	Leen Besselink.