Maintained by: NLnet Labs

[Unbound-users] Setting max-time before servfail

W.C.A. Wijngaards
Fri Jan 15 19:06:40 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Gareth,

The lookup is really taking very long and unbound assumes that you
should keep waiting for the answer.  Unbound does not know what the
timeout of the client is, so cannot tell it servfail.

Perhaps the clients should have longer timeouts?  Or how else can they
insist on an answer within some time?  This is not part of the DNS
protocol?  They are obviously broken.

Now, to step back from ranting about broken other stuff, in reality, you
want stuff to work.  Right now unbound does not do what you want.  What
would work well?

Best regards,
   Wouter

On 01/15/2010 03:07 PM, Gareth Hopkins wrote:
> Hi,
> 
> I am in the process of moving a number of caching boxes to unbound.
> 
> One thing I have noticed is the time it takes for a servfail to get
> generated should a domain not be available/visible.
> 
> Example.
> 
> With unbound I get a timeout (which some clients see as the dns server
> failing and not answering)
> 
> # dig bagmail.com <http://bagmail.com> mx @dnscache1-ctn.is.co.za
> <http://dnscache1-ctn.is.co.za>
> 
> ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com> mx @unbound_server
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> With our current product I get a servfail.
> 
> # dig bagmail.com <http://bagmail.com> mx @current_cache
> 
> ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com> mx
> @dnscache2-ctn.is.co.za <http://dnscache2-ctn.is.co.za>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35397
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;bagmail.com <http://bagmail.com>.                   IN      MX
> 
> ;; Query time: 5000 msec
> 
> ;; WHEN: Fri Jan 15 16:00:17 2010
> ;; MSG SIZE  rcvd: 29
> 
> The issue with this specific domain is the NS servers, ns1 and
> ns2.goldkey.com <http://ns2.goldkey.com> don't exist
> 
> bagmail.com <http://bagmail.com>.            172800  IN      NS     
> ns1.goldkey.com <http://ns1.goldkey.com>.
> bagmail.com <http://bagmail.com>.            172800  IN      NS     
> ns2.goldkey.com <http://ns2.goldkey.com>.
> 
> unbound-control lookup on that domain shows the following
> 
> # unbound-control lookup bagmail.com <http://bagmail.com>
> The following name servers are used for lookup of bagmail.com
> <http://bagmail.com>.
> ;rrset 84946 2 0 2 0
> bagmail.com <http://bagmail.com>.    171346  IN      NS     
> ns1.goldkey.com <http://ns1.goldkey.com>.
> bagmail.com <http://bagmail.com>.    171346  IN      NS     
> ns2.goldkey.com <http://ns2.goldkey.com>.
> ;rrset 84946 1 0 1 0
> ns2.goldkey.com <http://ns2.goldkey.com>.        171346  IN      A      
> 206.83.79.29
> ;rrset 84946 1 0 1 0
> ns1.goldkey.com <http://ns1.goldkey.com>.        171346  IN      A      
> 64.95.64.222
> Delegation with 2 names, of which 2 can be examined to query further
> addresses.
> It provides 2 IP addresses.
> 64.95.64.222            rtt 120000 msec, 12 lost. noEDNS probed.
> 206.83.79.29            rtt 120000 msec, 17 lost. noEDNS probed.
> 
> Is there anyway to get unbound to return a servfail straight away ?
> 
> Thanks
> 
> Gareth
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAktQrrAACgkQkDLqNwOhpPiVZACdGriPMzrMz8B33NbPqlCpLWu0
x54Ani+tQFPNMip878rnwrjWKmMbDioS
=c0s1
-----END PGP SIGNATURE-----