-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 09/15/2011 10:36 PM, Paul Wouters wrote: > On Thu, 15 Sep 2011, Robert Fleischman wrote: > >> Are you SURE your server returns? I just tried it with: >> >> dig +time=600 +tcp @193.110.157.136 -t ns dir.slb.com. >> >> And it doesn't return AT ALL. (That is a 10 minute wait time!!) > > Seems you are right. An entry in my reslv.conf sneaked through to my bind > fallback server, which does anser with the hunderds of NS records, though > without any additional A records. > > I ran: unbound-host dir.slb.com. -t NS -ddddd > > but killed it after it had generated 100MB of data and was still looping. > bind does return pretty quickly, though it has no additional records at > all. > > dig ns dir.slb.com @ns3.slb.com. also shows how bogus that response is. > Many *.dir.slb.com nameservers, but not a single glue record. Yes, it has 283 nameserver entries and 280 addresses (that I can find). I have tried them, but they do not reply. They time out. So what happens is that unbound quietly starts probing this very long list. It will take some time to do this. If space becomes a problem, this query is the oldest and gets removed. You say that bind returns. How does it get an answer? None of the IPs associated with the domain return UDP replies. Perhaps it returns the NS set from the referral as the answer? Unbound refuses to do this for security reasons. >> I don't have any "harden" stuff on. I do have: >> >> val-permissive-mode: yes > > That disables all DNSSEC. Any good reason for that? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOcxZqAAoJEJ9vHC1+BF+NvXYP/jX49F543hFwr9hvBSjsVMgQ NDugQxq7Pc1UOkJkoozJPc6f8lRLRXnm2WxNxOWwKAqF1E8bx7EJoqFnN+sWeBbt Ulchif6HAIPgSQZAlBsKqLJn1Hpb9mxonhdzgNaYpgqHINdzLsXr6Fi3XAExnyWB OFnZQP6SIjrZt4VkmQFUz0dTWAV/N/L3eToq/nNSJqOa5VW+ydpkakdBKO669ba/ 7G2aixohRwHOz86WEphCpRUSJcP4fpByONHIruTd2MhQlymw4Af8yv0MQugro6YA KqgIYM5NVNDZ+qYk/nXcSxydgeSPtGWTzZnGsK4bACl3lrZICT/0UyXeW+5zs4hO wEFlIzSdUsOv8rIv5vBQvm/00xIoMyE4njum3SJtex6DxAG+3s2jI5gJ551u42jA PmWplMKfyr5jum4mC45gNXKVz8BN++FKKAZVHLeBjo869nAK0qi1IYWl+03k+t3g Gbv0aErGIxd2trPmjr+WQQufKNp3eZMh6gXUl3ixem9WpSNq3BDNZ7DBCIsvsqZO xxQm/S6i4P+q9yLK/oRMkFFlCF+U4jArpkboDQVEfrfdsMxA4S562/tBI0A445x7 ocVMGrcWiGXR3zcPqj+BXvO6viFZZkgUKwYRROTPcO4PI135yWaQBGmxFWEMivpS 3FhAQKBTpaKaGyi95Mbz =jkhw -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
