Maintained by: NLnet Labs

[Unbound-users] Unbound doesn't cache ANY query result from some DNSSEC-signed zone

W.C.A. Wijngaards
Mon Jun 10 13:21:56 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Daisuke,

On 05/30/2013 02:41 PM, Daisuke HIGASHI wrote:
> Hi,
> 
> Unbound doesn't cache ANY query result from some DNSSEC-signed
> zone. In this case Unbound always emits query to name server per
> user query.
> 
> # unbound doesn't cache dig @::1 jp. ANY dig @::1 fr. ANY
> 
> # unbound caches dig @::1 com. ANY dig @::1 nl. ANY
> 
> I noticed that no-cached-name has NSEC3PARAM with TTL=0. It seems
> that Unbound kills query result cache obtained by ANY query when
> any one of the RRSets expires. Is it reason for no-cache?

Yes TTL=0 is not cached.  This is a must from the RFC.

Unbound does not 'gather up' RRs from cache to answer ANY, but asks
the set of RRs upstream.  The search through the cache would slow it down.

> I don't know whether it's Unbound's bug or NSEC3PARAM with TTL=0
> is illegal but Unbound serving applications making ANY-query
> (qmail?) would make excessive queries to name servers.

Yes.  But not many normal ANY queries.  TTL=0 is legal.  Unbound's
behaviour for the ANY query is not really specified.  So for cache
efficiency and easy it gets the query from upstream.

cache-min-ttl could perhaps change unbound's behaviour here.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRtbbUAAoJEJ9vHC1+BF+N4JgP/jfSs+ofPjxWays1/r3ip6g+
WvJ1+yN4sgAEZj9zQmpX2cueMIFrtGIt9q56RhD9gu/hl/5WC4ySXmQ04jW37kpx
QKDKBpc2Zu1WBl9Q7C0vNAi2FdgVeP9nUKseJYyUcfVsNU7zYvn3iZG1akgR1n1f
I9v3yLRmYYNfUFRmspPEBVYVN8U7mWylMuFpM54+4uUTb7ae9N7gTKWva0YLMCnW
AuwYPy+njHiptF7QwTyW874ihR3oWI4y3TMG++aTsIYuSiYoxFNuYg3bn25Dshxo
qx7uogGndAh/3/AuqGYsvvDnGzfbl1zays0LFcBci6nXfM1ptqLuuA/YzNI83s18
PFmfLDe6TxdDzlbT89VMGCi42EfUqIacrA4kZADdVv2GFBS/ZAxGw0VXUXmg3HKt
Ya9H4EYzPq046xAai9oWvqhwpBSGRuvTPe4Y/eXDzFHVKHhFR2j9CZ1UJhfjDQsJ
M1aweVYO2M2th9kD1AMpQeWZsJmH2jdeDzbMA4qhmBjCy/PZZqcrcoI5FiPhC6EO
EoQ6yztNdoAS8Qd86R1HURqcVaOnBWkQQBWkXEpGhR7ckdbRPouW4D3N/N1zYXwc
AJVun7nUMD44W1Uc15rtWkjw63wyU6kPKytv/2Azkx1Ejus9SmSFCGkxR4o+sH63
0sIQNofZ8FQSBhsqbykC
=GKq7
-----END PGP SIGNATURE-----