Maintained by: NLnet Labs

[Unbound-users] dig fails intermittently, but unbound-host does not

Andrew Hearn
Tue Mar 29 14:29:14 CEST 2011


On 29/03/11 13:16, W.C.A. Wijngaards wrote:
> Hi Andrew, Paul,
> 
> On 03/29/2011 02:11 PM, Andrew Hearn wrote:
>> On 29/03/11 12:19, Paul Wouters wrote:
>>> On Tue, 29 Mar 2011, Andrew Hearn wrote:
>>>
>>>> We have version 1.3.4 on a server and have an odd, intermittent, problem
>>>> with looking up a particular record.
>>>>
>>>> We have other unbound and bind servers that don't have this problem.
>>>>
>>>> eg:
>>>>
>>>> [root at a log]# unbound-control flush farnell.com
>>>> ok
>>>> [root at a log]# dig uk.farnell.com @localhost
>>>
>>> That domain seems broken, at least from the "world view":
>>>
>>> [paul at bofh ~]$ dnscheck uk.farnell.com.
>>>   0.000: uk.farnell.com. INFO Begin testing zone uk.farnell.com. with
>>> version 1.2.1.
>>>   0.000: uk.farnell.com. INFO Begin testing delegation for uk.farnell.com..
>>>   6.008: uk.farnell.com. INFO Name servers listed at parent:
>>> dns1.cscdns.net,dns2.cscdns.net
>>>   6.168: uk.farnell.com. ERROR Failed to find name servers of
>>> uk.farnell.com./IN.
>>>   6.168: uk.farnell.com. ERROR No name servers found at child.
>>>   6.168: uk.farnell.com. INFO Done testing delegation for uk.farnell.com..
>>>   6.168: uk.farnell.com. CRITICAL Fatal error in delegation for zone
>>> uk.farnell.com..
>>>   6.168: uk.farnell.com. INFO Test completed for zone uk.farnell.com..
>>>
>>> If it works internally, perhaps one issue is that one of your servers
>>> uses the external instead
>>> of internal view?
> 
> I think Paul is correct.
> 
>> Thanks for the info, but I'm not sure this explains it, as:
>>   unbound-host uk.farnell.com -v
>> always works, and gives answers, but
>>   dig uk.farnell.com @localhost
>> is intermittent
> 
>> Also, http://www.squish.net/dnscheck works each time we try
> 
> That is because the first looking (has to) use the parent-side
> delegation information.  But with a cache the daemon on a second lookup
> uses the child-side delegation information.  unbound-host is a
> commandline tool and does the first lookup of course.
> 
> In unbound 1.4.5 the approach to deal with such broken domains was
> changed significantly, making it more robust.  It may work with this
> broken domain.
> 
> Or, you could unbreak the domain, fix it :-)
> 
> Best regards,
>    Wouter


Thanks for the info Wouter.

The domain is outside our control, but I'll upgrade our Unbound.

Thanks again


-- 
Andrew Hearn.
AAISP Technical Support Team Leader
Tel: 03333 400999