Maintained by: NLnet Labs

[Unbound-users] stub-prime unexpected behavior

W.C.A. Wijngaards
Thu Mar 21 13:20:40 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Aaron,

On 03/20/2013 09:51 PM, Aaron Hopkins wrote:
> I internally override an externally visible domain to be able to
> give different answers with a config like:
> 
> stub-zone: name: "example.com" stub-addr: 10.1.2.3 stub-addr:
> 10.1.2.4 stub-prime: yes
> 
> I recently upgraded from Unbound 1.4.4 to 1.4.19 and after running
> for a few hours was noticing that queries for foo.bar.example.com
> (an internal-only name) started returning NXDOMAIN.  When this
> happens, "dig -t ns example.com" shows the external NS records.
> 
> It turned out that I had poorly configured a subdomain of
> example.com with a lame delegation to itself, and Unbound would
> eventually stop talking to 10.1.2.3 and 10.1.2.4 because of this,
> claiming "debug: No more query targets, attempting last resort".
> It then it does what the documentation for "stub-first" claims,
> even though I don't have it enabled, and goes and looks up the
> nameservers for "example.com" starting with the roots. 
> Unfortunately, this means it starts answering queries using the
> external nameservers instead of the internal ones.
> 
> Is this the expected behavior of stub-prime?  It seems to be a
> change from how it was behaving in Unbound 1.4.4.

Not for stub-prime, the newly introduced behaviour for 'normal
referrals' is to check at the parent as a last resort to get
information.  When you add a stub-zone with stub-prime yes, then this
also activates.

> Disabling stub-prime seems to fix this.

Because it does not failover to the parent as a last resort.

> See the sanitized relevant snippet of unbound-host output below.  I
> can send a larger unsanitized chunk privately if this isn't
> enough.

Not sure if I should fix this, or not.  Is it merely unexpected, or
undesirable?

Best regards,
   Wouter


> Thanks!
> 
> -- Aaron
> 
> ---
> 
> Mar 20 13:03:34 libunbound[13226:0] debug: iter_handle processing q
> with state QUERY RESPONSE STATE Mar 20 13:03:34 libunbound[13226:0]
> info: query response was THROWAWAY Mar 20 13:03:34
> libunbound[13226:0] debug: iter_handle processing q with state
> QUERY TARGETS STATE Mar 20 13:03:34 libunbound[13226:0] info:
> processQueryTargets: blah.example.com.example.com. AAAA IN Mar 20
> 13:03:34 libunbound[13226:0] debug: processQueryTargets: 
> targetqueries 0, currentqueries 0 sentcount 10 Mar 20 13:03:34
> libunbound[13226:0] info: 
> DelegationPoint<example.com.example.com.>: 2 names (0 missing), 2
> addrs (0 result, 0 avail) parentNS Mar 20 13:03:34
> libunbound[13226:0] info:   dnsmaster1.foo.example.com. * A Mar 20
> 13:03:34 libunbound[13226:0] info:   dnsmaster2.foo.example.com. *
> A Mar 20 13:03:34 libunbound[13226:0] debug:    ip4 10.1.2.4 port
> 53 (len 16) Mar 20 13:03:34 libunbound[13226:0] debug:    ip4
> 10.1.2.3 port 53 (len 16) Mar 20 13:03:34 libunbound[13226:0]
> debug: No more query targets, attempting last resort Mar 20
> 13:03:34 libunbound[13226:0] info: found in cache 
> dnsmaster1.foo.example.com. A IN Mar 20 13:03:34
> libunbound[13226:0] info: found in cache 
> dnsmaster2.foo.example.com. A IN Mar 20 13:03:34
> libunbound[13226:0] info: new pside target 
> dnsmaster1.foo.example.com. A IN Mar 20 13:03:34
> libunbound[13226:0] debug: try parent-side glue lookup Mar 20
> 13:03:34 libunbound[13226:0] debug: mesh_run: iterator module exit
> state is module_wait_subquery Mar 20 13:03:34 libunbound[13226:0]
> debug: iterator[module 1] operate: extstate:module_state_initial
> event:module_event_pass Mar 20 13:03:34 libunbound[13226:0] info:
> iterator operate: query dnsmaster1.foo.example.com. A IN Mar 20
> 13:03:34 libunbound[13226:0] debug: iter_handle processing q with 
> state INIT REQUEST STATE Mar 20 13:03:34 libunbound[13226:0] info:
> resolving dnsmaster1.foo.example.com. A IN Mar 20 13:03:34
> libunbound[13226:0] debug: request has dependency depth of 1 Mar 20
> 13:03:34 libunbound[13226:0] debug: cache blacklisted, going to the
> network Mar 20 13:03:34 libunbound[13226:0] info: priming . IN NS 
> Mar 20 13:03:34 libunbound[13226:0] debug: mesh_run: iterator
> module exit state is module_wait_subquery Mar 20 13:03:34
> libunbound[13226:0] debug: iterator[module 1] operate: 
> extstate:module_state_initial event:module_event_pass Mar 20
> 13:03:34 libunbound[13226:0] info: iterator operate: query . NS IN 
> Mar 20 13:03:34 libunbound[13226:0] debug: iter_handle processing q
> with state QUERY TARGETS STATE Mar 20 13:03:34 libunbound[13226:0]
> info: processQueryTargets: . NS IN Mar 20 13:03:34
> libunbound[13226:0] debug: processQueryTargets: targetqueries 0,
> currentqueries 0 sentcount 0 Mar 20 13:03:34 libunbound[13226:0]
> info: DelegationPoint<.>: 13 names (0 missing), 13 addrs (0 result,
> 13 avail) parentNS Mar 20 13:03:34 libunbound[13226:0] info:
> A.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info:
> B.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info:
> C.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info:
> D.ROOT-SERVERS.NET. * A 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBAgAGBQJRSvsYAAoJEJ9vHC1+BF+NnCgP92pQlAxb9Zux16LtoTrBfmVn
Sinsgaz+ym9JVuO1brs8g4QNgjs9y8dDoNUMX4Ad1dNxoaFa0TpUllkqXgrq+wqo
EWQ2CbmFGH2NolB9TeLiXGDx4Cu1ik+qDUejIrvQyNWRDwmmEItidpQC/5Q8QNWA
tuw0y1palLhxVC8cvNWmcI4qLvyRFNFz9QENHL5ic5vkZDiDNjT1UoIyt6nBWIhx
fH6O67boh26gD6+zv+l2v8lg6l8IOjpnwzBHno5TNizClKDfY+U5e9UWLTahP0mp
VdvIWEOtT4jaMe2fnM8oJAQUjVm1mJk3t33gcezi5xkuCX8Z7tYawCkoXOWzVrWI
w1l5ou8BDz/8Vk0+8Wzng9J/65THYzbQM3eg+Z4XOYQRGHbhxaoXkQwIXNitCbSK
WG5szjiNQHB4d1nQAkJO9XZIOMKoyUCblQz1+mlDEpnXdyvGviekAB+SaiRPg8Fo
EGSkoM/y4MaMaRrSs/c82xCIn+cEfhgPGzNPLEtTXTK4p0zZl0YhUx7kP0JTnspw
As2E+NvlI6BwIZevoaC+zZ0Ak/iO3tLzZVIHYB2LpboWqKKe9KBdYkj5N3O2evvD
AxmWNK/9l7HOTFoHh72+GnZ/ueQRqZZsY7Lmei6f9jc+mmVBRSEpp6svWFhy6A+8
ngsP7iQnB2umaThhl0E=
=ZsDp
-----END PGP SIGNATURE-----