-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael,
You need to configure outgoing-range: 20480 too, so that it has sockets to service those 20480 requests in the requestlist. libevent is good. You can get_option in unbound-control. I'll point to http://unbound.net/documentation/howto_optimise.html for the audience. It could be that openbsd has a restrictive ulimit on the number of open files, and that unbound throttles back its usage to fit in that ulimit (of 256?). ulimit -n. You can override it as root. Unbound prints a warning at startup. Best regards, Wouter On 02/21/2011 04:27 PM, Slingerland, Michael van wrote: > Hi Wouter, > > Thanks for your swift and thorough answer! > > This brings me to my next issue I have due to this groupinfra behaviour. > > That is that my resolver begins to show "requestlist exceeded" counters up to > 3K per sec. > After my requestlist hits about 250.... My assumption is that it probably > only sets 512 slots for the requestlist at startup, while I configured the > value 20480 for num-queries-per-thread. > > But it seems somehow that this config entry is ignored.. > Is there somehow to check in unbound how many slots are actually allocated > after startup? > > I compiled with libevent so it should at least have 1024 > num-queries-perthread. > > Thanks, > mike > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of W.C.A. Wijngaards > Sent: Monday, 21 February 2011 15:41 > To: [email protected] > Subject: Re: [Unbound-users] Increase of requestlist entries/connection > timeout due to groupinfra.com domain > > Hi Michael, > > groupinfra.com's servers, ns1.logica.com and ns2.logica.com are both > 'recursion-lame'. They are configured as a cache (and offer recursion but > not the AA flag on answers). Unbound tries to avoid them, but there are no > alternatives (no AAAA records or anything). Then, unbound tries a +RD query > there (as if it were forwarding) and receives an answer (TTL > 51 seconds, yes they really are recursors with TTLs). > > Since there is not really authoritative servers for groupinfra.com, it could > that their 'semi-caches' cannot find the information all the time, or have > trouble as well. zonecheck says 'it has no nameservers'. > > Try to use unbound-control lookup groupinfra.com to get more information. > > I see that groupinfra.com says it has different nameservers, its NS record > has 75 entries. This explains the very long times where queries exist for > unbound; as it is trying every server and gets timeouts. I notice a lot of > these entries seem to be on a subnet of some sort > (10.0.0.0/8 and others maybe too), and perhaps firewalled. > > Since it claims to have nameservers that do not answer, it is not going to > get very good service. They official nameservers registered with .com are > not authoritative. > > Best regards, > Wouter > > > On 02/21/2011 02:45 PM, Slingerland, Michael van wrote: >> Hi, > >> I've been scratching my head for a few days now, trying to figure out >> what is happening here. >> 1) I noticed that the requestlist dump contains about 200 subdomains >> for groupinfra.com, some of them are there for up to 85000 seconds. > >> 2) 1 entry in the requestlist is: >> 215 A IN xjdjtallrd.groupinfra.com. 25205.720826 iterator wants A IN >> de-dc002.groupinfra.com. A IN in-dc007.groupinfra.com. A IN >> uk-dc015.groupinfra.com. > >> Resolving this domain with dig returns: > >> # dig @localhost >> xjdjtallrd.groupinfra.com >> > > >> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (1 >> server found) ;; global options: printcmd ;; connection timed out; no >> servers could be reached # > >> 3) flushing the requestlist and name from the cache > >> # dig @localhost xjdjtallrd.groupinfra.com > >> ; <<>> DiG 9.4.2-P2 <<>> @localhost xjdjtallrd.groupinfra.com ; (2 >> servers found) ;; global options: printcmd ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65121 ;; flags: >> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > >> ;; QUESTION SECTION: >> ;xjdjtallrd.groupinfra.com. IN A > >> ;; AUTHORITY SECTION: >> groupinfra.com. 3107 IN SOA uk-dc001.groupinfra.com. >> hostmaster. 15046308 900 600 86400 900 > >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Mon Feb 21 14:38:14 2011 >> ;; MSG SIZE rcvd: 98 > >> # > >> After a few hours the domain is again not resolvable as in point 2. > >> Flushing the requestlist and domain groupinfra.com from cache fixes >> again this issue. > >> I am using unbound 1.4.7 on OpenBSD 4.5. > >> Compile options: >> ./configure --prefix=/opt/unbound-1.4.7 \ --with-ssl=/usr \ >> --with-libevent=/usr \ --without-pthreads \ >> --with-chroot-dir=/var/unbound \ --with-pidfile=/var/run/unbound.pid \ >> --with-conf-file=/var/unbound/etc/unbound.conf \ --with-username=named >> \ --disable-gost \ --with-ldns-builtin > >> I'm trying to understand why this domain is only temporaribly >> resolvable and after it fails, it is resolvable again after a flush of >> requestlist and domain groupinfra.com. > >> Thanks, >> Michael > > >> ********************************************************************** >> ********** > > >> N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke >> VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer > >> This e-mail and its contents are subject to a DISCLAIMER with >> important >> RESERVATIONS: see http://www.t-mobile.nl/disclaimer > >> ********************************************************************** >> ********** > > > > > > >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ihbgACgkQkDLqNwOhpPglKgCfbBddD4YLyTMDmb3bbTpMlnTS 5qcAnA7WK342IQ6JuRuE8NIqJ/eNpABu =iUNq -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
