-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Attila,
On 02/09/2012 08:29 AM, Attila Nagy wrote: > Hi, > > Running unbound r2580, I can't resolve m.facebook.com. I get > SERVFAIL back. The server was running for some time, so it's not in > a fresh state. It seems the problem is that facebook DNS servers > time out on AAAA records, so unbound gets the false assumption that > they are unavailable. Well if you do not respond to queries, you deserve what you get. DNS has noanswer-nodata packets and this is what should be used. They do not implement RFC1034. And for that facebook deserves to be offline. That said, you want your users to be able to connect to sites that have broken software (or more likely: bad firewall). The feature you name would not actually stop unbounds internal lookups for the AAAA for the nameserver. You would need to configure a stub-zone in the config file with the IP4s of the nameservers as a workaround. The workaround for one name specific is not the right thing. Not sure how to fix this in a more general way. Store timeout information per-query-type and query-name specific (it is already per-zone) ? That makes the timeout information useless for new queries. I am not sure how to fix this, because on the other hand, very similar situations would result in continuous probes to a server that is down. And this also adds load to unbound. > Here are the verbose (level 4) logs while trying to resolve the > name: Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have added up to make the zone offline. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPM4o/AAoJEJ9vHC1+BF+NFC4P/RwNDT6CcR9deHsNjLATlXfT hwJc3XqkD+CpuhqwHlpxuT5ULYIo3sKbNcRKQIl+3ZavULol+cX7TC7DcAlVyIhO lAOifRVaRdKbrLZgQilbxP6l5Ca6/U7sNkoxTAIMOn9qhe62WHmrbRolD4AyIEFo aJkFk1ZXBwwpkMuEHwmPLKtGVygNQLCmznPeDdfvCiHCws5ZRdpn57WjCCyIWcLm I6390D9fDVSHPkYx7PEmsz7TjyzYywvBVE8VOR0ZPMgzV6SKcMVBBVCKNPi3FZh9 hfTiy/AtmrsfasDaSjfXzjRCxOr8kf1LOyIU9gtVVdNYk+GyKZ8ZYQK0LxBpFvZ+ UqxOTDqoWvjxLx5/SNC2FkSKu9F9gho5qNRXCn4lOBqYEpwLvMfn/S1HxsEJ6lkp AXSx3rLyjqiW8yUjWCZcKGvRklXgFOg1kgmKIVrzkCbyh54JF7Hp+Od3GkSvjG58 naM/swzrS6yRjN6SLCNI+oa9Kw8NMLsoQJ1auVXw9R2tXu/NKm+uKFv+Pgn+cKNt /ZXN39GfahQf9G6kP04M31n6tJsxQ6J9dKvaS+8Edq9KZls9H9CFY+kkjnVnWeWh tzZFQlZ0wTRyQsgub3gMAhc0YxhZeb0M90M/+e+Chmp7bGLGJ/F67VcIU/E4ygiD XMfdyvDG3t6Mk9E0X0b6 =c9xt -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
