-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Aaron,
On 03/20/2013 09:51 PM, Aaron Hopkins wrote: > I internally override an externally visible domain to be able to > give different answers with a config like: > > stub-zone: name: "example.com" stub-addr: 10.1.2.3 stub-addr: > 10.1.2.4 stub-prime: yes > > I recently upgraded from Unbound 1.4.4 to 1.4.19 and after running > for a few hours was noticing that queries for foo.bar.example.com > (an internal-only name) started returning NXDOMAIN. When this > happens, "dig -t ns example.com" shows the external NS records. > > It turned out that I had poorly configured a subdomain of > example.com with a lame delegation to itself, and Unbound would > eventually stop talking to 10.1.2.3 and 10.1.2.4 because of this, > claiming "debug: No more query targets, attempting last resort". > It then it does what the documentation for "stub-first" claims, > even though I don't have it enabled, and goes and looks up the > nameservers for "example.com" starting with the roots. > Unfortunately, this means it starts answering queries using the > external nameservers instead of the internal ones. > > Is this the expected behavior of stub-prime? It seems to be a > change from how it was behaving in Unbound 1.4.4. Not for stub-prime, the newly introduced behaviour for 'normal referrals' is to check at the parent as a last resort to get information. When you add a stub-zone with stub-prime yes, then this also activates. > Disabling stub-prime seems to fix this. Because it does not failover to the parent as a last resort. > See the sanitized relevant snippet of unbound-host output below. I > can send a larger unsanitized chunk privately if this isn't > enough. Not sure if I should fix this, or not. Is it merely unexpected, or undesirable? Best regards, Wouter > Thanks! > > -- Aaron > > --- > > Mar 20 13:03:34 libunbound[13226:0] debug: iter_handle processing q > with state QUERY RESPONSE STATE Mar 20 13:03:34 libunbound[13226:0] > info: query response was THROWAWAY Mar 20 13:03:34 > libunbound[13226:0] debug: iter_handle processing q with state > QUERY TARGETS STATE Mar 20 13:03:34 libunbound[13226:0] info: > processQueryTargets: blah.example.com.example.com. AAAA IN Mar 20 > 13:03:34 libunbound[13226:0] debug: processQueryTargets: > targetqueries 0, currentqueries 0 sentcount 10 Mar 20 13:03:34 > libunbound[13226:0] info: > DelegationPoint<example.com.example.com.>: 2 names (0 missing), 2 > addrs (0 result, 0 avail) parentNS Mar 20 13:03:34 > libunbound[13226:0] info: dnsmaster1.foo.example.com. * A Mar 20 > 13:03:34 libunbound[13226:0] info: dnsmaster2.foo.example.com. * > A Mar 20 13:03:34 libunbound[13226:0] debug: ip4 10.1.2.4 port > 53 (len 16) Mar 20 13:03:34 libunbound[13226:0] debug: ip4 > 10.1.2.3 port 53 (len 16) Mar 20 13:03:34 libunbound[13226:0] > debug: No more query targets, attempting last resort Mar 20 > 13:03:34 libunbound[13226:0] info: found in cache > dnsmaster1.foo.example.com. A IN Mar 20 13:03:34 > libunbound[13226:0] info: found in cache > dnsmaster2.foo.example.com. A IN Mar 20 13:03:34 > libunbound[13226:0] info: new pside target > dnsmaster1.foo.example.com. A IN Mar 20 13:03:34 > libunbound[13226:0] debug: try parent-side glue lookup Mar 20 > 13:03:34 libunbound[13226:0] debug: mesh_run: iterator module exit > state is module_wait_subquery Mar 20 13:03:34 libunbound[13226:0] > debug: iterator[module 1] operate: extstate:module_state_initial > event:module_event_pass Mar 20 13:03:34 libunbound[13226:0] info: > iterator operate: query dnsmaster1.foo.example.com. A IN Mar 20 > 13:03:34 libunbound[13226:0] debug: iter_handle processing q with > state INIT REQUEST STATE Mar 20 13:03:34 libunbound[13226:0] info: > resolving dnsmaster1.foo.example.com. A IN Mar 20 13:03:34 > libunbound[13226:0] debug: request has dependency depth of 1 Mar 20 > 13:03:34 libunbound[13226:0] debug: cache blacklisted, going to the > network Mar 20 13:03:34 libunbound[13226:0] info: priming . IN NS > Mar 20 13:03:34 libunbound[13226:0] debug: mesh_run: iterator > module exit state is module_wait_subquery Mar 20 13:03:34 > libunbound[13226:0] debug: iterator[module 1] operate: > extstate:module_state_initial event:module_event_pass Mar 20 > 13:03:34 libunbound[13226:0] info: iterator operate: query . NS IN > Mar 20 13:03:34 libunbound[13226:0] debug: iter_handle processing q > with state QUERY TARGETS STATE Mar 20 13:03:34 libunbound[13226:0] > info: processQueryTargets: . NS IN Mar 20 13:03:34 > libunbound[13226:0] debug: processQueryTargets: targetqueries 0, > currentqueries 0 sentcount 0 Mar 20 13:03:34 libunbound[13226:0] > info: DelegationPoint<.>: 13 names (0 missing), 13 addrs (0 result, > 13 avail) parentNS Mar 20 13:03:34 libunbound[13226:0] info: > A.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info: > B.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info: > C.ROOT-SERVERS.NET. * A Mar 20 13:03:34 libunbound[13226:0] info: > D.ROOT-SERVERS.NET. * A > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBAgAGBQJRSvsYAAoJEJ9vHC1+BF+NnCgP92pQlAxb9Zux16LtoTrBfmVn Sinsgaz+ym9JVuO1brs8g4QNgjs9y8dDoNUMX4Ad1dNxoaFa0TpUllkqXgrq+wqo EWQ2CbmFGH2NolB9TeLiXGDx4Cu1ik+qDUejIrvQyNWRDwmmEItidpQC/5Q8QNWA tuw0y1palLhxVC8cvNWmcI4qLvyRFNFz9QENHL5ic5vkZDiDNjT1UoIyt6nBWIhx fH6O67boh26gD6+zv+l2v8lg6l8IOjpnwzBHno5TNizClKDfY+U5e9UWLTahP0mp VdvIWEOtT4jaMe2fnM8oJAQUjVm1mJk3t33gcezi5xkuCX8Z7tYawCkoXOWzVrWI w1l5ou8BDz/8Vk0+8Wzng9J/65THYzbQM3eg+Z4XOYQRGHbhxaoXkQwIXNitCbSK WG5szjiNQHB4d1nQAkJO9XZIOMKoyUCblQz1+mlDEpnXdyvGviekAB+SaiRPg8Fo EGSkoM/y4MaMaRrSs/c82xCIn+cEfhgPGzNPLEtTXTK4p0zZl0YhUx7kP0JTnspw As2E+NvlI6BwIZevoaC+zZ0Ak/iO3tLzZVIHYB2LpboWqKKe9KBdYkj5N3O2evvD AxmWNK/9l7HOTFoHh72+GnZ/ueQRqZZsY7Lmei6f9jc+mmVBRSEpp6svWFhy6A+8 ngsP7iQnB2umaThhl0E= =ZsDp -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
