Maintained by: NLnet Labs

[Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain

W.C.A. Wijngaards
Mon Feb 21 15:52:44 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 03:40 PM, W.C.A. Wijngaards wrote:
> Since it claims to have nameservers that do not answer, it is not going
> to get very good service.  They official nameservers registered with
> .com are not authoritative.
> 
> On 02/21/2011 02:45 PM, Slingerland, Michael van wrote:
>> Hi,
> 
>> 1) I noticed that the requestlist dump contains about 200 subdomains for
>> groupinfra.com, some of them are there for up to 85000 seconds.
> 
>> 2) 1 entry in the requestlist is:
>> 215    A IN xjdjtallrd.groupinfra.com. 25205.720826 iterator wants A IN
>> de-dc002.groupinfra.com. A IN in-dc007.groupinfra.com. A IN
>> uk-dc015.groupinfra.com.

And feedback on having 200 subdomains: this is not a resource problem,
older queries are removed ('jostled' in statistics counter) in favor of
new queries if there is a resource problem, your nameserver has capacity
to handle this query for that extremely long time without having to
remove this query for newer ones, so that is not an issue.

The issue that after flush and restart it works again is because the
first couple queries use the nameservers as advertised from .com
referral, but these are soon replaces by 75 non-working nameservers, all
of whom unbound prefers (since the child is authoritative for its
domain!).  Working through 75 timeouts before it tries the
parent-also-not-working servers takes a very long time, and your 'dig'
has timeouted by that time.  It will cache this, but the default of 15
minutes (infra-ttl) is probably too low to be able to help.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ifDwACgkQkDLqNwOhpPhAoQCeJ7IUeSmQaGQWTZP2N9IAEv9V
qO4AoLD1z4jL76onC8CruYXaNOZgnmKt
=2C4O
-----END PGP SIGNATURE-----