Maintained by: NLnet Labs

[Unbound-users] python module example documentation bug and crasher

W.C.A. Wijngaards
Mon Jan 20 10:33:55 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2014 10:27 AM, Paul Wouters wrote:
> On Mon, 20 Jan 2014, W.C.A. Wijngaards wrote:
> 
>>> When loading that module, unbound always SERVFAIL's. Thinking
>>> that this section was wrongly returning MODULE_ERROR:
>>> 
>>> if event == MODULE_EVENT_PASS: log_info("pythonmod:
>>> event_pass") qstate.ext_state[id] = MODULE_ERROR return True
>>> 
>>> I changed it to MODULE_FINISHED. However, that lead to a crash
>>> in unbound:
> 
> We fixed this in the current code. Our code now works, and
> actually triggers an IPsec tunnel that established.
> 
> Attached for others to look at as example, although we still have
> more work to do to make it work fully.
> 
> We are still wondering why there is some slowness between when the 
> ipsec tunnel comes up and the application sees the A recorc
> answer. This seems to be about 9 seconds and we have no idea what
> unbound is doing.
> 
> We would also still like to have something better than running 
> dns.resolver() that more natively goes back into the unbound code.

Use module_env, send_query() or attach_sub().  Send query sends a udp
packet (with fallback to TCP and EDNS detection).  attach_sub creates
a recursive lookup that is facilitated by unbound (fully validated
result at the end, can recurse further to lookup the nameservers and
dnssec chain of trust for it).  In both cases an event is triggered
when the result arrives.  The result for the recursion case should not
perform heavy processing - it should especially refrain from making
other recursion calls and not write to UDP buffers - it should instead
stash the data in an internal structure and set it up so that an
upcoming event (module_run) to continue processing outside of the
'interrupt-style' result event can be used for the actual processing.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS3O2DAAoJEJ9vHC1+BF+NjzMP/2qjp45oEuJ/l2l5QahZZfLD
wcD0sIaNKW0X5Xb3W9T60qdfd9xxrDBNqU+9GTF0Y03IeCTccbfhovnX0teRl6wZ
dXQlcRIm0qAgwodyqF1RfBjLNgXaiTZUmQ0e/V5Xyrm7YFm2oEozIhlsx9WicJM+
XzfZF8Hup1lXO9uEjxIVDU+0w5usgAAHzcx++GlH32cgmQbTdsvOcm8SHzpFzgen
GiMa/liS3O/MRgaozkbOP1srvoMtjwoXClc3367QADY+Ed5j3R05C1d11pUaQkvJ
ORmL4aDe/Ntw5gd0dwSo6jxGi6zHOGJ1vK6Emh/Ho6DdDD9TbVPh8u9QRXNS+nnM
9N6aBmS3xbEFli4PyOP8EhPATRQ+FffPrn253xagBLw32HIgGuVmE5aVmiZBPAJH
GdU8HtslzquEBTf657etyJD6Vqo7mckcYBc0nNzXX3HAwvaMmxNeqLx5LrKVLCPG
WUC7V90mbWXIrm/qViHmT1X9hjkGK1nmFUye4ZUIUAnB+ZVlNMgXBKje9v4/xgeP
vPeIeCb903KvwWj2AD7nOtn+Hw4w/b0raGCJdk16j65ET+5ZFLQUrAf/nJkzikbj
iovc6WUHQFUsrEs2v2Dd3OgPg3h1INfyo7NQe7IaYRK/rbK+uUJPOHS+mTmZ10Wu
VsncgqN6Ibn4iRTU6UjH
=4Vt5
-----END PGP SIGNATURE-----