Hi, I am in the process of moving a number of caching boxes to unbound.
One thing I have noticed is the time it takes for a servfail to get generated should a domain not be available/visible. Example. With unbound I get a timeout (which some clients see as the dns server failing and not answering) # dig bagmail.com mx @dnscache1-ctn.is.co.za ; <<>> DiG 9.6.1-P2 <<>> bagmail.com mx @unbound_server ;; global options: +cmd ;; connection timed out; no servers could be reached With our current product I get a servfail. # dig bagmail.com mx @current_cache ; <<>> DiG 9.6.1-P2 <<>> bagmail.com mx @dnscache2-ctn.is.co.za ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35397 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;bagmail.com. IN MX ;; Query time: 5000 msec ;; WHEN: Fri Jan 15 16:00:17 2010 ;; MSG SIZE rcvd: 29 The issue with this specific domain is the NS servers, ns1 and ns2.goldkey.com don't exist bagmail.com. 172800 IN NS ns1.goldkey.com. bagmail.com. 172800 IN NS ns2.goldkey.com. unbound-control lookup on that domain shows the following # unbound-control lookup bagmail.com The following name servers are used for lookup of bagmail.com. ;rrset 84946 2 0 2 0 bagmail.com. 171346 IN NS ns1.goldkey.com. bagmail.com. 171346 IN NS ns2.goldkey.com. ;rrset 84946 1 0 1 0 ns2.goldkey.com. 171346 IN A 206.83.79.29 ;rrset 84946 1 0 1 0 ns1.goldkey.com. 171346 IN A 64.95.64.222 Delegation with 2 names, of which 2 can be examined to query further addresses. It provides 2 IP addresses. 64.95.64.222 rtt 120000 msec, 12 lost. noEDNS probed. 206.83.79.29 rtt 120000 msec, 17 lost. noEDNS probed. Is there anyway to get unbound to return a servfail straight away ? Thanks Gareth
_______________________________________________ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users