Maintained by: NLnet Labs

[Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain

W.C.A. Wijngaards
Mon Feb 21 16:33:13 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

You need to configure
outgoing-range: 20480 too, so that it has sockets to service those 20480
requests in the requestlist.

libevent is good.  You can get_option in unbound-control.

I'll point to http://unbound.net/documentation/howto_optimise.html for
the audience.

It could be that openbsd has a restrictive ulimit on the number of open
files, and that unbound throttles back its usage to fit in that ulimit
(of 256?).  ulimit -n.  You can override it as root.  Unbound prints a
warning at startup.

Best regards,
   Wouter

On 02/21/2011 04:27 PM, Slingerland, Michael van wrote:
> Hi Wouter,
> 
> Thanks for your swift and thorough answer!
> 
> This brings me to my next issue I have due to this groupinfra behaviour.
> 
> That is that my resolver begins to show "requestlist exceeded" counters up to 3K per sec.
> After my requestlist hits about 250.... My assumption is that it probably only sets 512 slots for the requestlist at startup, while I configured the value 20480 for num-queries-per-thread.
> 
> But it seems somehow that this config entry is ignored..
> Is there somehow to check in unbound how many slots are actually allocated after startup?
> 
> I compiled with libevent so it should at least have 1024 num-queries-perthread.
> 
> Thanks,
> mike
> 
> -----Original Message-----
> From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of W.C.A. Wijngaards
> Sent: Monday, 21 February 2011 15:41
> To: unbound-users at unbound.net
> Subject: Re: [Unbound-users] Increase of requestlist entries/connection timeout due to groupinfra.com domain
> 
> Hi Michael,
> 
> groupinfra.com's servers, ns1.logica.com and ns2.logica.com are both 'recursion-lame'.  They are configured as a cache (and offer recursion but not the AA flag on answers).  Unbound tries to avoid them, but there are no alternatives (no AAAA records or anything).  Then, unbound tries a +RD query there (as if it were forwarding) and receives an answer (TTL
> 51 seconds, yes they really are recursors with TTLs).
> 
> Since there is not really authoritative servers for groupinfra.com, it could that their 'semi-caches' cannot find the information all the time, or have trouble as well.  zonecheck says 'it has no nameservers'.
> 
> Try to use unbound-control lookup groupinfra.com to get more information.
> 
> I see that groupinfra.com says it has different nameservers, its NS record has 75 entries.  This explains the very long times where queries exist for unbound; as it is trying every server and gets timeouts.  I notice a lot of these entries seem to be on a subnet of some sort
> (10.0.0.0/8 and others maybe too), and perhaps firewalled.
> 
> Since it claims to have nameservers that do not answer, it is not going to get very good service.  They official nameservers registered with .com are not authoritative.
> 
> Best regards,
>    Wouter
> 
> 
> On 02/21/2011 02:45 PM, Slingerland, Michael van wrote:
>> Hi,
> 
>> I've been scratching my head for a few days now, trying to figure out 
>> what is happening here.
>> 1) I noticed that the requestlist dump contains about 200 subdomains 
>> for groupinfra.com, some of them are there for up to 85000 seconds.
> 
>> 2) 1 entry in the requestlist is:
>> 215    A IN xjdjtallrd.groupinfra.com. 25205.720826 iterator wants A IN
>> de-dc002.groupinfra.com. A IN in-dc007.groupinfra.com. A IN 
>> uk-dc015.groupinfra.com.
> 
>> Resolving this domain with dig returns:
> 
>> # dig @localhost
>> xjdjtallrd.groupinfra.com                                                                                                                 
> 
> 
>> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (1 
>> server found) ;; global options:  printcmd ;; connection timed out; no 
>> servers could be reached #
> 
>> 3) flushing the requestlist and name from the cache
> 
>> #  dig @localhost xjdjtallrd.groupinfra.com
> 
>> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (2 
>> servers found) ;; global options:  printcmd ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65121 ;; flags: 
>> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
>> ;; QUESTION SECTION:
>> ;xjdjtallrd.groupinfra.com.     IN      A
> 
>> ;; AUTHORITY SECTION:
>> groupinfra.com.         3107    IN      SOA     uk-dc001.groupinfra.com.
>> hostmaster. 15046308 900 600 86400 900
> 
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Mon Feb 21 14:38:14 2011
>> ;; MSG SIZE  rcvd: 98
> 
>> #
> 
>> After a few hours the domain is again not resolvable as in point 2.
> 
>> Flushing the requestlist and domain groupinfra.com from cache fixes 
>> again this issue.
> 
>> I am using unbound 1.4.7 on OpenBSD 4.5.
> 
>> Compile options:
>> ./configure --prefix=/opt/unbound-1.4.7 \ --with-ssl=/usr \ 
>> --with-libevent=/usr \ --without-pthreads \ 
>> --with-chroot-dir=/var/unbound \ --with-pidfile=/var/run/unbound.pid \ 
>> --with-conf-file=/var/unbound/etc/unbound.conf \ --with-username=named 
>> \ --disable-gost \ --with-ldns-builtin
> 
>> I'm trying to understand why this domain is only temporaribly 
>> resolvable and after it fails, it is resolvable again after a flush of 
>> requestlist and domain groupinfra.com.
> 
>> Thanks,
>> Michael
> 
> 
>> **********************************************************************
>> **********
> 
> 
>> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke 
>> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer
> 
>> This e-mail and its contents are subject to a DISCLAIMER with 
>> important
>> RESERVATIONS: see http://www.t-mobile.nl/disclaimer
> 
>> **********************************************************************
>> **********
> 
> 
> 
> 
> 
> 
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ihbgACgkQkDLqNwOhpPglKgCfbBddD4YLyTMDmb3bbTpMlnTS
5qcAnA7WK342IQ6JuRuE8NIqJ/eNpABu
=iUNq
-----END PGP SIGNATURE-----