Maintained by: NLnet Labs

[Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain

W.C.A. Wijngaards
Mon Feb 21 15:40:51 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

groupinfra.com's servers, ns1.logica.com and ns2.logica.com are both
'recursion-lame'.  They are configured as a cache (and offer recursion
but not the AA flag on answers).  Unbound tries to avoid them, but there
are no alternatives (no AAAA records or anything).  Then, unbound tries
a +RD query there (as if it were forwarding) and receives an answer (TTL
51 seconds, yes they really are recursors with TTLs).

Since there is not really authoritative servers for groupinfra.com, it
could that their 'semi-caches' cannot find the information all the time,
or have trouble as well.  zonecheck says 'it has no nameservers'.

Try to use unbound-control lookup groupinfra.com to get more information.

I see that groupinfra.com says it has different nameservers, its NS
record has 75 entries.  This explains the very long times where queries
exist for unbound; as it is trying every server and gets timeouts.  I
notice a lot of these entries seem to be on a subnet of some sort
(10.0.0.0/8 and others maybe too), and perhaps firewalled.

Since it claims to have nameservers that do not answer, it is not going
to get very good service.  They official nameservers registered with
.com are not authoritative.

Best regards,
   Wouter


On 02/21/2011 02:45 PM, Slingerland, Michael van wrote:
> Hi,
>  
> I've been scratching my head for a few days now, trying to figure out
> what is happening here.
> 1) I noticed that the requestlist dump contains about 200 subdomains for
> groupinfra.com, some of them are there for up to 85000 seconds.
>  
> 2) 1 entry in the requestlist is:
> 215    A IN xjdjtallrd.groupinfra.com. 25205.720826 iterator wants A IN
> de-dc002.groupinfra.com. A IN in-dc007.groupinfra.com. A IN
> uk-dc015.groupinfra.com.
>  
> Resolving this domain with dig returns:
>  
> # dig @localhost
> xjdjtallrd.groupinfra.com                                                                                                                 
> 
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> #
>  
> 3) flushing the requestlist and name from the cache
>  
> #  dig @localhost xjdjtallrd.groupinfra.com
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65121
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;xjdjtallrd.groupinfra.com.     IN      A
>  
> ;; AUTHORITY SECTION:
> groupinfra.com.         3107    IN      SOA     uk-dc001.groupinfra.com.
> hostmaster. 15046308 900 600 86400 900
>  
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 21 14:38:14 2011
> ;; MSG SIZE  rcvd: 98
>  
> #
>  
> After a few hours the domain is again not resolvable as in point 2.
>  
> Flushing the requestlist and domain groupinfra.com from cache fixes
> again this issue.
>  
> I am using unbound 1.4.7 on OpenBSD 4.5.
>  
> Compile options:
> ./configure --prefix=/opt/unbound-1.4.7 \
> --with-ssl=/usr \
> --with-libevent=/usr \
> --without-pthreads \
> --with-chroot-dir=/var/unbound \
> --with-pidfile=/var/run/unbound.pid \
> --with-conf-file=/var/unbound/etc/unbound.conf \
> --with-username=named \
> --disable-gost \
> --with-ldns-builtin
>  
> I'm trying to understand why this domain is only temporaribly resolvable
> and after it fails, it is resolvable again after a flush of requestlist
> and domain groupinfra.com.
>  
> Thanks,
> Michael
>  
> 
> ********************************************************************************
> 
> 
> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer
> 
> This e-mail and its contents are subject to a DISCLAIMER with important
> RESERVATIONS: see http://www.t-mobile.nl/disclaimer
> 
> ********************************************************************************
> 
> 
>  
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ieXMACgkQkDLqNwOhpPh+5QCeK5njEL58kglPN9CqlVoy6mUr
M6AAnjqeoEa44qqhEKDXYXKfHI9oojTA
=+XmI
-----END PGP SIGNATURE-----