Zitat von Wouter Wijngaards <[email protected]>:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On 03/06/2014 02:31 PM, [email protected] wrote:
Zitat von staticsafe <[email protected]>:
On 3/5/2014 08:24, [email protected] wrote:
Hello,
today we discovered a hostname which is very slow to resolv
with Unbound 1.4.21 as validating resolver. It works fine with
all knid of other resolvers and oddly enough even with another
Unbound instance. The host in question is esta.cbp.dhs.gov and
resolve time after it is not in the cache range from around 2
to 5 seconds. I have take a tcpdump and can only see that the
first answer come much faster but Unbound keeps asking for the
same A record on different nameservers again and again.
Any idea what is going wrong?
The zone is not signed, but it is hosted on the same servers that also
host its parent zone, which is signed. Unbound is searching for
dnssec information. Then it does not find it. Then it tries to build
a chain of trust and finds the nsec3optout and then you get the answer.
Apart from a lot of traffic to those servers, as it is trying all of
them for every query, it should actually work fairly fast. Are these
servers somehow blocking access to you (with timeouts) ?
Since the servers are all responsive (for me, from an IETF address),
and in total the resolution is very fast (not near 5-10 sec), I think
something else is going one. This could have been triggered by the
extra traffic that unbound sends towards those servers because it is
trying to find out the co-hosted-parent problem as well as an optout
that happens while it did not see the optout-referral.
Looking for workarounds, try domain-insecure for cbp.dhs.gov.
Best regards,
Wouter
As of now they are much faster but still slow:
Main site:
; <<>> DiG 9.8.1-P1 <<>> esta.cbp.dhs.gov A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22953
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;esta.cbp.dhs.gov. IN A
;; ANSWER SECTION:
esta.cbp.dhs.gov. 900 IN A 216.81.87.20
;; Query time: 1503 msec
;; SERVER: 10.5.0.3#53(10.5.0.3)
;; WHEN: Thu Mar 6 21:18:24 2014
;; MSG SIZE rcvd: 50
was more that 4000ms at report time
Hosted VPS:
; <<>> DiG 9.8.1-P1 <<>> esta.cbp.dhs.gov A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46389
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;esta.cbp.dhs.gov. IN A
;; ANSWER SECTION:
esta.cbp.dhs.gov. 900 IN A 216.81.87.20
;; Query time: 387 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 6 21:19:04 2014
;; MSG SIZE rcvd: 50
was around 1500ms at report time
Pfoblem is that we have a cascade with unbound1 asking unbound2 at the
gateway and with resolve-time of around 4 seconds unbound1 will
report timeout and access to this site will block. I could capture a
tcpdump and send you in private if you like to have a look at it. I'm
a little out of ideas because as said it looks like the answer is
flowing in fast but unbound is searching over and over again...
Thanks
Andreas
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
