Maintained by: NLnet Labs

[Unbound-users] A and ANY queries give conflicted results

W.C.A. Wijngaards
Wed Apr 13 08:39:09 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 04/12/2011 11:13 PM, Paul Wouters wrote:
> 
> I put in an A record for "badsig.dane.xelerance.com." with the intension
> putting
> a bad "dane TLSA" record in there. So contrary to the name, the RRSIG
> for "badsig" is
> fine.
> 
> But unbound (1.4.8) gives me :
> 
> [paul at bofh pri]$ dig +dnssec a badsig.dane.xelerance.com.
> ;; AUTHORITY SECTION:
> xelerance.com.        1843    IN    SOA    ns1.xelerance.net.
> hostmaster.xelerance.com. 2011041269 18000 3600 864000 3600
> xelerance.com.        1843    IN    RRSIG    SOA 5 2 3600 20110505082418
> 
> So this tells me the record does not exist. But when I do an ANY query:
> 
> [paul at bofh pri]$ dig +dnssec any badsig.dane.xelerance.com.
> ;; ANSWER SECTION:
> badsig.dane.xelerance.com. 3505    IN    A    193.110.157.151
> badsig.dane.xelerance.com. 3505    IN    RRSIG    A 5 4 3600
> 20110505101649 20110412193207 52862 xelerance.com.
> 
> I have a copy of the cache at the time, and an unbound-host output if
> that would help
> 
> After restarting unbound, the record worked as expected.

You have a TTL issue.  The 'wrong' response is 1800 seconds ago.  The
right response is 95 seconds ago.  Restart cleared the cache, and your
problem is gone.  This is simply TTL happening.

Unbound does not synthesize from the cache, so it will repeat the
response from the authority server.  So, it gets the new A record as
part of the ANY query, but does not synthesize 'A' responses to clients
with it, instead using the message that it got (1800 seconds) before.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2lRQ0ACgkQkDLqNwOhpPiEnACeP69YeDo2IdAeKr66L0kdt0c5
0KUAnAntMcLKJw3cUjPGWiphjBgv70A7
=d6GP
-----END PGP SIGNATURE-----