Maintained by: NLnet Labs

problems with stub-zones

A. Schulze
Mon Aug 15 14:44:39 CEST 2016


Hello

we still have an unsolved issue and cannot find a solution. It's still  
the same as
https://www.unbound.net/pipermail/unbound-users/2015-October/004057.html ...

test-setup:
   client -> router -> unbound -> router -> nameserver1 + nameserver2

client's /etc/resolv.conf has only one line: "nameserver ${unbound-ip}"

unbound.conf is minimal:

server:
     local-zone: "10.in-addr.arpa." transparent
     domain-insecure: "10.in-addr.arpa."

stub-zone:
     name: "10.in-addr.arpa."
     stub-addr: ${nameserver1-ip}
     stub-addr: ${nameserver2-ip}

nameserver1+2 serve 10.in-addr.arpa. using http://cr.yp.to/djbdns/walldns.html

Everything is fine as long as both nameservers are up.
If one server fail (simple case: host up, nameserver down) client get  
"no servers could be reached" or similar
answers from local stubresolver. A moment later a second query for the  
same name succeed. But again some queries later we observe timeouts or  
no answers again.

With tcpdump on both nameservers I see queries that are immediately  
answers by the running nameserver
if the nameserver is down, I see "ICMP port unreadable" packets back  
to unbound.

I run "watch -n 1 unbound-control dump_infa | grep arpa"
There is a value "delay" in the line of the failed nameserver that  
count down from 30...90 up to zero.

After unbound once learned nameserver1 is down I could ask non-cached  
queries which are answered immediately
Until the delay counter reach 0. Then there is a again the error in  
answering un-cached queries.

it's unbound-1.5.9 including the patch  
https://www.unbound.net/pipermail/unbound-users/2016-June/004379.html.
minimal-responses, qname-minimisation and use-caps-for-id are disabled.

Andreas