-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Alan,
On 08/08/2011 01:55 PM, Alan Gutierrez wrote: > > On Aug 6, 2011, at 7:45 PM, Paul Wouters wrote: > >> On Sat, 6 Aug 2011, Alan Gutierrez wrote: >> >>> It used to be the case that I could flush the unbound cache and then >>> resolve a name immediately. Now there is a long delay before I start to get >>> results. It is especially bad on Fedora 15 running in VirtualBox on OS X >>> Lion, but I'm also seeing it slow down on Fedora 15 at EC2. I updated >>> root.hints, but that didn't seem to help. I can't make much sense of the >>> debugging logging output. A couple weeks ago, flushing cache or restarting, >>> you might notice a light delay on the first lookup, but now it takes a few >>> minutes to get results other than timeouts. >>> >>> server: >>> verbosity: 2 >>> num-threads: 1 >>> interface: 127.0.0.1 >>> do-ip4: yes >>> do-ip6: no >>> do-udp: yes >>> do-tcp: no >> >> Why do you have do-tcp set to no? That will cause problems on large dnssec >> replies that get >> truncated. Yes that would be good to enable. >>> use-caps-for-id: yes >> >> You can try disabling this, some servers don't do 0x20 properly and it might >> be causing delays. > > I tried disabling this, but it was working fine before about two weeks ago. > Now I'm finding a slow start everywhere. I've created a gist, with the output > of the unbound logs, with verbose at 9. It goes from startup to the > successful resolution of "dig NS .". The first time I invoke dig, it times > out. Then I wait a while and invoke dig again, for a successful resolution. > > https://gist.github.com/1131622 > > There is a lot there. I'm not sure what to look for. If there is anything I > can do to make it easier to get feedback from the group, let me know. What seems to be happening is this: Aug 8 11:20:37 celje unbound: [6762:0] debug: timeout udp You have only a DLV key. The root.key file you read with the statement trusted-keys-file (which is for BIND compatibility). I would expect you to use auto-trust-anchor-file: "....root.key". (and use unbound-anchor to make that file in the rc/init script). There are no trust anchors in your root.key file? Thus, because you do not have a root key. But a DLV key. And 0x20 and harden-referral-path. For me that creates a queue of 164 on the first prime. And it takes a long time to prime for me too. (perhaps something like an adsl modem is dropping connections because there are too many?) If I add a normal root trust anchor, the first prime succeeds (in a second). So, your combination of options creates a lot of work. You can wait for that. Or you can add a root trust anchor, which I think you intend to? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOQOEKAAoJEJ9vHC1+BF+NMwsQAJquWjGioWONWNEyETOxk7PU 1NY3qLOIZj1nLcE5mjSm+DenjoQet0LspgUjmzgUL+L6/mExsmmrsg2ZQlX1QOT3 Qz5pKn43bAWs6tEd1D2KhGkc8KhIJ9ZZ/IILfF1k09SuXErDvaHJqj9FxmfV3FFE 9fTvi7t84dkWw8jtYfM6PbqniFzolDa3E2vRX8o6bgMU41N+NLv4gWrwv9GsYGIg 1eOyNsWtQ4LCQm7vfsc0mJF5O27BLBNGSUFngUpyFttFskryPtYtO2N4WsmIrzEF xC+lD6rs6okpx7H/V+XKWlRO9/NOZcfdUiTxe9x8Q99MjcIhHMHf+eUrwDDkwoi7 TzgY8qRv5LnFa9/qDeE++lv7Z+LxIaLkUDQKI24iyYmUyB6d/3uXX8PqUSMOLahY RPRB5hkpC400FCl0otdBmBF+ApmBKeNuqkvxeMfiF0hBcsG4tA8Y5LwRD7Occ5Ak +pFTfsHLyWbKdmthQ0/6p2IxVTM5vckLk5xlAc5Io7dHa66/LfyJMaE/SKwGPY0L Vjvy7zEdenWBKy8RoJ/JV0FJZYoYcs0He4s7KVARJ51LaBJSf3eFKIyv3RrgUtNI hlzT/y2gX8atXCesSX8RrzmTfOgX4X7HZlTwpIoB2WmRQwWcflqSgcWEw6vPPT5l 4F+C33sOCVpxo4XmttMt =HxfZ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
