Maintained by: NLnet Labs

[Unbound-users] Setting max-time before servfail

Gareth Hopkins
Fri Jan 15 15:07:37 CET 2010


Hi,

I am in the process of moving a number of caching boxes to unbound.

One thing I have noticed is the time it takes for a servfail to get
generated should a domain not be available/visible.

Example.

With unbound I get a timeout (which some clients see as the dns server
failing and not answering)

# dig bagmail.com mx @dnscache1-ctn.is.co.za

; <<>> DiG 9.6.1-P2 <<>> bagmail.com mx @unbound_server
;; global options: +cmd
;; connection timed out; no servers could be reached

With our current product I get a servfail.

# dig bagmail.com mx @current_cache

; <<>> DiG 9.6.1-P2 <<>> bagmail.com mx @dnscache2-ctn.is.co.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bagmail.com.                   IN      MX

;; Query time: 5000 msec

;; WHEN: Fri Jan 15 16:00:17 2010
;; MSG SIZE  rcvd: 29

The issue with this specific domain is the NS servers, ns1 and
ns2.goldkey.com don't exist

bagmail.com.            172800  IN      NS      ns1.goldkey.com.
bagmail.com.            172800  IN      NS      ns2.goldkey.com.

unbound-control lookup on that domain shows the following

# unbound-control lookup bagmail.com
The following name servers are used for lookup of bagmail.com.
;rrset 84946 2 0 2 0
bagmail.com.    171346  IN      NS      ns1.goldkey.com.
bagmail.com.    171346  IN      NS      ns2.goldkey.com.
;rrset 84946 1 0 1 0
ns2.goldkey.com.        171346  IN      A       206.83.79.29
;rrset 84946 1 0 1 0
ns1.goldkey.com.        171346  IN      A       64.95.64.222
Delegation with 2 names, of which 2 can be examined to query further
addresses.
It provides 2 IP addresses.
64.95.64.222            rtt 120000 msec, 12 lost. noEDNS probed.
206.83.79.29            rtt 120000 msec, 17 lost. noEDNS probed.

Is there anyway to get unbound to return a servfail straight away ?

Thanks

Gareth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100115/15a79296/attachment.htm>