[Unbound-users] Unbound and Round Robin DNS
Hi, I am in the process of testing unbound and have found the following with round robin dns entries. Using www.cnn.com as an example, unbound gives me the same answer (157.166.255.19) everytime whereas bind gives me the intended different answers. Example below. Command used was while true; do date; nslookup www.cnn.com| head -n6 ; sleep 1; done Unbound Version 1.3.3 linked libs: event 1.4.12-stable, ldns 1.6.0_20090714, OpenSSL 0.9.8e 23 Feb 2007 linked modules: validator iterator Fri Aug 21 12:01:28 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:01:29 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:01:30 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:01:31 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:01:32 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:01:33 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Bind version BIND 9.4.3-P3 Fri Aug 21 12:06:47 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.224.25 Fri Aug 21 12:06:48 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.19 Fri Aug 21 12:06:49 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.255.18 Fri Aug 21 12:06:50 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.226.26 Fri Aug 21 12:06:51 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.226.25 Fri Aug 21 12:06:52 SAST 2009 Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.224.26 Is there something I need to set in unbound to get it to return the random answers like bind does? Thanks Gareth ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Unbound and Round Robin DNS
On Fri, 21 Aug 2009, Gareth Hopkins wrote: I am in the process of testing unbound and have found the following with round robin dns entries. Using www.cnn.com as an example, unbound gives me the same answer (157.166.255.19) everytime whereas bind gives me the intended different answers. Example below. Command used was while true; do date; nslookup www.cnn.com| head -n6 ; sleep 1; done dig against unbound gives me : ;; ANSWER SECTION: www.cnn.com.266 IN A 157.166.224.26 www.cnn.com.266 IN A 157.166.226.25 www.cnn.com.266 IN A 157.166.226.26 www.cnn.com.266 IN A 157.166.255.18 www.cnn.com.266 IN A 157.166.255.19 www.cnn.com.266 IN A 157.166.224.25 Seems like they use a TTL of 300. Asking unbound with nslookup gives all 6 records, but I guess unbound is not cycling them in any way, so you keep getting the first record. Perhaps Wouter can explain that part, as I am sure some conscious design decision has gone into that. But in 300 seconds, things will change. For me, the list got returned the second time as: ;; ANSWER SECTION: www.cnn.com.300 IN A 157.166.255.19 www.cnn.com.300 IN A 157.166.224.25 www.cnn.com.300 IN A 157.166.224.26 www.cnn.com.300 IN A 157.166.226.25 www.cnn.com.300 IN A 157.166.226.26 www.cnn.com.300 IN A 157.166.255.18 So to my applications (eg ping) their address changed from 157.166.224.26 to 157.166.255.19. Paul ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Re: [Unbound-users] Unbound and Round Robin DNS
On Fri, 21 Aug 2009, Paul Wouters wrote: Perhaps Wouter can explain that part, as I am sure some conscious design decision has gone into that. I'm guessing this is the same anti-feature-creep sentiment as why round-robinning RRs was left out of NSD. This is unfortunate, because very few clients bother to use anything but the first IP returned by their resolver. But in 300 seconds, things will change. For me, the list got returned the second time as: This would not be true if cnn.com were served by NSD. The ordering would by the same, every time, resulting in at least 3x the load reaching the first IP in the zone file. -- Aaron ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
[Unbound-users] SLAX Live Linux USB with unbound and DNSSEC Tools
I would like to share the unbound and dnstools packages for SLAX Live Linux (http://slax.org) with you. Slax is a live Linux that can be started on almost any PC-like computer machine with 256MB RAM or more from a USB-Stick, CD-ROM or by PXE Network boot. The current version of the SLAX DNSSEC modules contains BIND 9.6.1-P1 (package 010-bind.lzm) and Unbound 1.33, libDNS 1.6.1, Drill, DNSTOP, DOC and dnstracer (package 011-dnstools.lzm) ready to use. The single packages can be downloaded from http://support.menandmice.com/download/training/usb/dnstools/Aug09/ The full SLAX 6.1.2 system including the DNS-Tools and BIND packages can be found at http://support.menandmice.com/download/training/usb/slax-dns-training-stick.tgz (217 MB). To install SLAX from a Linux Machine, uncompress the tar-ball to an FAT formatted USB Drive and call the boot/bootinst.sh script. Installation from a Windows System is similar, just used the boot/bootinst.bat batch file. We use this system for our DNS and DNSSEC Trainings. Especially the PXE-Networkboot is a convenient way to boot SLAX from the trainers PC to all the machines in a classroom. The trainer can prepare training packages that will automatically appear after reboot on the students machines. In addition to a tool for DNSSEC Trainings, the SLAX USB System is a nice carry-around DNSSEC troubleshooting toolset that comes selfcontained with an OS. Unfortunately SLAX Linux currently does not do IPv6, however I will look into that issue in the future. Please let me know if there is something missing or wrong or if you have an idea to improve this tool. -- Carsten Strotmann ___ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users