Hi, i'm running Unbound 1.4.6 on Linux for my recursing needs. It came to my attention that this Unbound does not even answer(!) queries for domains which have at least one malfunctioning NS in their NS RRSET.
In this case it's all about recursing 'archive.debian.org'. Please keep in mind that debian.org is running DNSSEC enabled. My Unbound is configured to do DNSSEC verification. Unfortunately (:P) the situation seems all normal now, all listed nameservers seem to be responding, making this issue a tad bit harder to reproduce. The domain 'debian.org' currently has four nameservers listed: | debian.org. 28800 IN NS ns1.debian.org. | debian.org. 28800 IN NS ns2.debian.org. | debian.org. 28800 IN NS ns3.debian.org. | debian.org. 28800 IN NS ns4.debian.com. Subdomain 'archive.debian.org' has it's own NS RRSET, geo[123].debian.org, these seem to work just fine. >From what i've seen, from time-to-time, ns4.debian.com seems not to respond to queries which in turn makes recursing 'archive.debian.org' (with no DNS cache) malfunction with Unbound like so: | [sanders@haze:~] % dig archive.debian.org | ; <<>> DiG 9.8.1-P1 <<>> archive.debian.org | ;; global options: +cmd | ;; connection timed out; no servers could be reached (i would expect SERVFAIL, at least) At the same time a BIND9 server does not seem to have any real problems recursing the query, it just takes a little longer for the answer to appear as it seems to skip over the not-responding host. I found that after the neg. cache ttl expires, sometimes Unbound *is* able to resolve the domain. This all seems to depend on what NS is first in the RRSET returned for 'debian.org'. Friends on IRC comment that this behaviour (broken recursing with one malfunctioning nameserver in a larger RRSET) is seen more and more, also across different recursors... I skimmed through RFCs 1912, 2182, 1034 and 1035 but could not really find the proposed way to handle situations like the above. Could someone please comment on this? -Sndr. -- | One tequila, two tequila, three tequila, floor. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
