Maintained by: NLnet Labs

[Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain

Slingerland, Michael van
Mon Feb 21 16:27:23 CET 2011


Hi Wouter,

Thanks for your swift and thorough answer!

This brings me to my next issue I have due to this groupinfra behaviour.

That is that my resolver begins to show "requestlist exceeded" counters up to 3K per sec.
After my requestlist hits about 250.... My assumption is that it probably only sets 512 slots for the requestlist at startup, while I configured the value 20480 for num-queries-per-thread.

But it seems somehow that this config entry is ignored..
Is there somehow to check in unbound how many slots are actually allocated after startup?

I compiled with libevent so it should at least have 1024 num-queries-perthread.

Thanks,
mike

-----Original Message-----
From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of W.C.A. Wijngaards
Sent: Monday, 21 February 2011 15:41
To: unbound-users at unbound.net
Subject: Re: [Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

groupinfra.com's servers, ns1.logica.com and ns2.logica.com are both 'recursion-lame'.  They are configured as a cache (and offer recursion but not the AA flag on answers).  Unbound tries to avoid them, but there are no alternatives (no AAAA records or anything).  Then, unbound tries a +RD query there (as if it were forwarding) and receives an answer (TTL
51 seconds, yes they really are recursors with TTLs).

Since there is not really authoritative servers for groupinfra.com, it could that their 'semi-caches' cannot find the information all the time, or have trouble as well.  zonecheck says 'it has no nameservers'.

Try to use unbound-control lookup groupinfra.com to get more information.

I see that groupinfra.com says it has different nameservers, its NS record has 75 entries.  This explains the very long times where queries exist for unbound; as it is trying every server and gets timeouts.  I notice a lot of these entries seem to be on a subnet of some sort
(10.0.0.0/8 and others maybe too), and perhaps firewalled.

Since it claims to have nameservers that do not answer, it is not going to get very good service.  They official nameservers registered with .com are not authoritative.

Best regards,
   Wouter


On 02/21/2011 02:45 PM, Slingerland, Michael van wrote:
> Hi,
>  
> I've been scratching my head for a few days now, trying to figure out 
> what is happening here.
> 1) I noticed that the requestlist dump contains about 200 subdomains 
> for groupinfra.com, some of them are there for up to 85000 seconds.
>  
> 2) 1 entry in the requestlist is:
> 215    A IN xjdjtallrd.groupinfra.com. 25205.720826 iterator wants A IN
> de-dc002.groupinfra.com. A IN in-dc007.groupinfra.com. A IN 
> uk-dc015.groupinfra.com.
>  
> Resolving this domain with dig returns:
>  
> # dig @localhost
> xjdjtallrd.groupinfra.com                                                                                                                 
> 
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (1 
> server found) ;; global options:  printcmd ;; connection timed out; no 
> servers could be reached #
>  
> 3) flushing the requestlist and name from the cache
>  
> #  dig @localhost xjdjtallrd.groupinfra.com
>  
> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (2 
> servers found) ;; global options:  printcmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65121 ;; flags: 
> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;xjdjtallrd.groupinfra.com.     IN      A
>  
> ;; AUTHORITY SECTION:
> groupinfra.com.         3107    IN      SOA     uk-dc001.groupinfra.com.
> hostmaster. 15046308 900 600 86400 900
>  
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 21 14:38:14 2011
> ;; MSG SIZE  rcvd: 98
>  
> #
>  
> After a few hours the domain is again not resolvable as in point 2.
>  
> Flushing the requestlist and domain groupinfra.com from cache fixes 
> again this issue.
>  
> I am using unbound 1.4.7 on OpenBSD 4.5.
>  
> Compile options:
> ./configure --prefix=/opt/unbound-1.4.7 \ --with-ssl=/usr \ 
> --with-libevent=/usr \ --without-pthreads \ 
> --with-chroot-dir=/var/unbound \ --with-pidfile=/var/run/unbound.pid \ 
> --with-conf-file=/var/unbound/etc/unbound.conf \ --with-username=named 
> \ --disable-gost \ --with-ldns-builtin
>  
> I'm trying to understand why this domain is only temporaribly 
> resolvable and after it fails, it is resolvable again after a flush of 
> requestlist and domain groupinfra.com.
>  
> Thanks,
> Michael
>  
> 
> **********************************************************************
> **********
> 
> 
> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke 
> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer
> 
> This e-mail and its contents are subject to a DISCLAIMER with 
> important
> RESERVATIONS: see http://www.t-mobile.nl/disclaimer
> 
> **********************************************************************
> **********
> 
> 
>  
> 
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ieXMACgkQkDLqNwOhpPh+5QCeK5njEL58kglPN9CqlVoy6mUr
M6AAnjqeoEa44qqhEKDXYXKfHI9oojTA
=+XmI
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users