-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andrew, Paul,
On 03/29/2011 02:11 PM, Andrew Hearn wrote: > On 29/03/11 12:19, Paul Wouters wrote: >> On Tue, 29 Mar 2011, Andrew Hearn wrote: >> >>> We have version 1.3.4 on a server and have an odd, intermittent, problem >>> with looking up a particular record. >>> >>> We have other unbound and bind servers that don't have this problem. >>> >>> eg: >>> >>> [root@a log]# unbound-control flush farnell.com >>> ok >>> [root@a log]# dig uk.farnell.com @localhost >> >> That domain seems broken, at least from the "world view": >> >> [paul@bofh ~]$ dnscheck uk.farnell.com. >> 0.000: uk.farnell.com. INFO Begin testing zone uk.farnell.com. with >> version 1.2.1. >> 0.000: uk.farnell.com. INFO Begin testing delegation for uk.farnell.com.. >> 6.008: uk.farnell.com. INFO Name servers listed at parent: >> dns1.cscdns.net,dns2.cscdns.net >> 6.168: uk.farnell.com. ERROR Failed to find name servers of >> uk.farnell.com./IN. >> 6.168: uk.farnell.com. ERROR No name servers found at child. >> 6.168: uk.farnell.com. INFO Done testing delegation for uk.farnell.com.. >> 6.168: uk.farnell.com. CRITICAL Fatal error in delegation for zone >> uk.farnell.com.. >> 6.168: uk.farnell.com. INFO Test completed for zone uk.farnell.com.. >> >> If it works internally, perhaps one issue is that one of your servers >> uses the external instead >> of internal view? I think Paul is correct. > Thanks for the info, but I'm not sure this explains it, as: > unbound-host uk.farnell.com -v > always works, and gives answers, but > dig uk.farnell.com @localhost > is intermittent > > Also, http://www.squish.net/dnscheck works each time we try That is because the first looking (has to) use the parent-side delegation information. But with a cache the daemon on a second lookup uses the child-side delegation information. unbound-host is a commandline tool and does the first lookup of course. In unbound 1.4.5 the approach to deal with such broken domains was changed significantly, making it more robust. It may work with this broken domain. Or, you could unbreak the domain, fix it :-) Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2RzagACgkQkDLqNwOhpPiurwCfWdd4rXjB6bh33nNguUBiE57x Oe4Ani4nNhw67ony6XDrXJYnhnKSkAgO =6HQn -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
