Maintained by: NLnet Labs

Timeout semantics of Unbound differ radically from Bind 9

Dhalgren Tor
Sun Apr 10 04:02:56 CEST 2016


Hello,

I operate a Tor Exit relay and was initially using Unbound as the
caching DNS resolver.  A few days ago the relay failed due to an
interaction between the Tor relay daemon and the request timeout
behavior of Unbound.  The only solution was to switch to using Bind 9
as the DNS resolver.

While I appreciate the elegance and persistence of Unbound's timeout
scheme, it breaks Tor and probably breaks other high-volume DNS
requesters that expect the simple ten-second timeout behavior of
'named'.

I suggest a configurable compatibility feature be added to Unbound to
emulate Bind timeout behavior while preserving the Unbound timeout
regime.  Unbound would reply to DNS queries with an appropriate
SERVFAIL message after ten seconds while continuing with the usual
persistent effort to resolve the record and then cache the result if
successful.

An open Tor ticket providing details of the aforementioned failure is found at

Tor #18580: exit relay fails with 'unbound' DNS resolver when lots of
requests time-out
https://trac.torproject.org/projects/tor/ticket/18580

Sincerely