On Thu, Feb 09, 2012 at 09:56:36AM +0100, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Attila, > > On 02/09/2012 08:29 AM, Attila Nagy wrote: > > Hi, > > > > Running unbound r2580, I can't resolve m.facebook.com. I get > > SERVFAIL back. The server was running for some time, so it's not in > > a fresh state. It seems the problem is that facebook DNS servers > > time out on AAAA records, so unbound gets the false assumption that > > they are unavailable. > > Well if you do not respond to queries, you deserve what you get. DNS > has noanswer-nodata packets and this is what should be used. They do > not implement RFC1034. And for that facebook deserves to be offline. > > That said, you want your users to be able to connect to sites that > have broken software (or more likely: bad firewall). The feature you > name would not actually stop unbounds internal lookups for the AAAA > for the nameserver. You would need to configure a stub-zone in the > config file with the IP4s of the nameservers as a workaround. > > The workaround for one name specific is not the right thing. Not sure > how to fix this in a more general way. Store timeout information > per-query-type and query-name specific (it is already per-zone) ? > That makes the timeout information useless for new queries. > > I am not sure how to fix this, because on the other hand, very similar > situations would result in continuous probes to a server that is down. > And this also adds load to unbound. > > > Here are the verbose (level 4) logs while trying to resolve the > > name: > > Thanks, yes, it is doing a lot of AAAA lookups and those timeouts have > added up to make the zone offline. >
I think I know of a hack, try a SOA or NS lookup on the apex at the same nameservers ? Then you know it is still up and running. I don't know if it is possible to know the apex at all times. And you probably have to keep more state. :-( It is an incrediable stupid hack I know. > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPM4o/AAoJEJ9vHC1+BF+NFC4P/RwNDT6CcR9deHsNjLATlXfT > hwJc3XqkD+CpuhqwHlpxuT5ULYIo3sKbNcRKQIl+3ZavULol+cX7TC7DcAlVyIhO > lAOifRVaRdKbrLZgQilbxP6l5Ca6/U7sNkoxTAIMOn9qhe62WHmrbRolD4AyIEFo > aJkFk1ZXBwwpkMuEHwmPLKtGVygNQLCmznPeDdfvCiHCws5ZRdpn57WjCCyIWcLm > I6390D9fDVSHPkYx7PEmsz7TjyzYywvBVE8VOR0ZPMgzV6SKcMVBBVCKNPi3FZh9 > hfTiy/AtmrsfasDaSjfXzjRCxOr8kf1LOyIU9gtVVdNYk+GyKZ8ZYQK0LxBpFvZ+ > UqxOTDqoWvjxLx5/SNC2FkSKu9F9gho5qNRXCn4lOBqYEpwLvMfn/S1HxsEJ6lkp > AXSx3rLyjqiW8yUjWCZcKGvRklXgFOg1kgmKIVrzkCbyh54JF7Hp+Od3GkSvjG58 > naM/swzrS6yRjN6SLCNI+oa9Kw8NMLsoQJ1auVXw9R2tXu/NKm+uKFv+Pgn+cKNt > /ZXN39GfahQf9G6kP04M31n6tJsxQ6J9dKvaS+8Edq9KZls9H9CFY+kkjnVnWeWh > tzZFQlZ0wTRyQsgub3gMAhc0YxhZeb0M90M/+e+Chmp7bGLGJ/F67VcIU/E4ygiD > XMfdyvDG3t6Mk9E0X0b6 > =c9xt > -----END PGP SIGNATURE----- > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
