Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.2 (svn 2010-01-15) odd behavior

Mike Emigh
Tue Jan 19 19:48:57 CET 2010


Hey Guys,

I found an interesting problem with version 1.4.2 which I pulled from
SVN on Friday.  The problem is related to the handling of parent-child
disagreement domains.

When trying to perform a looking for www.hkolympic.org.  The parent
responds with:

[1263926394] unbound[10255:0] info: reply from <com.> 192.33.14.30#53
[1263926394] unbound[10255:0] info: incoming scrubbed packet: ;;
->>HEADER<<- op code: QUERY, rcode: NOERROR, id: 0
;; flags: qr ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;; ns1.apptailor.com.   IN      A

;; ANSWER SECTION:
ns1.apptailor.com.      172800  IN      A       202.181.169.75

;; AUTHORITY SECTION:
apptailor.com.  172800  IN      NS      ns1.apptailor.com.
apptailor.com.  172800  IN      NS      ns2.apptailor.com.

;; ADDITIONAL SECTION:
ns2.apptailor.com.      172800  IN      A       202.181.167.233

;; Query time: 0 msec
;; WHEN: Wed Dec 31 19:00:00 1969
;; MSG SIZE  rcvd: 99

But then ns1.apptailor.com responds with:

[1263926394] unbound[10255:0] info: response for <ns1.apptailor.com. A IN>
[1263926394] unbound[10255:0] info: reply from <apptailor.com.>
202.181.167.233# 53
[1263926394] unbound[10255:0] info: incoming scrubbed packet: ;;
->>HEADER<<- op code: QUERY, rcode: NOERROR, id: 0
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; ns1.apptailor.com.   IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
ns1.apptailor.com.      14400   IN      NS      202.181.169.75.apptailor.com.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; WHEN: Wed Dec 31 19:00:00 1969
;; MSG SIZE  rcvd: 64


And then finally:
[1263926394] unbound[10255:0] info: response for
<202.181.169.75.apptailor.com. A IN>
[1263926394] unbound[10255:0] info: reply from <apptailor.com.>
202.181.169.75#5 3
[1263926394] unbound[10255:0] info: incoming scrubbed packet: ;;
->>HEADER<<- op code: QUERY, rcode: NXDOMAIN, id: 0
;; flags: qr aa ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 202.181.169.75.apptailor.com.        IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
apptailor.com.  14400   IN      SOA     ns1.apptailor.com.
root.apptailor.com. 2 009111400 14400 3600 1209600 86400

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; WHEN: Wed Dec 31 19:00:00 1969
;; MSG SIZE  rcvd: 91


This ultimately results in a SERVFAIL for www.hkolympic.org.  However,
subsequent queries for www.hkolympic.org work because of the existing
cache for ns1.apptailor.com and ns1.apptailor.com from the parent.  I
imagine that the desired effect of the change introduced in 1.4.1
would be for the initial query to resolve as well?

Thanks,
Mike