Maintained by: NLnet Labs

[Unbound-users] Resolve failures when using forwarders that do recursion

Florian Riehm
Tue Jan 7 08:52:19 CET 2014

> Hi,
> Please have a look to the attached patch.
> It adds a new config option 'infra-cache-min-rtt' which makes the former
> constant value of RTT_MIN_TIMEOUT adjustable. This gives the user the
> opportunity to choose a reasonable retransmit timeout value.

Hi Wouter,

I'm still thinking about the problem with the infra cache timeouts with
forwarders. I would like to ask you about your opinion of a 'right'
solution for the problem.
I guess adding a config option (see my patch) is kinda hack, but I don't see
any other solution at the moment.

Actually I was thinking about this idea:
After a timeout unbound could reuse port and query id in the second query.
Then we could accept the first reply still after the second query was sent.
Reuse port and query id will avoid security problems with the kaminsky attack.
But this solution works only if the second query gets send to the same server
as the first. In most cases people use >1 global forwarders, so it won't work.
So I guess it's to much work to implement this behavior if it doesn't fix the
problem in all cases.

Have you any other suggestions how we could fix this problem?
Have you any considerations about my patch with the infra-cache-min-rtt option?