-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Maciej,
On 08/25/2014 01:05 PM, Maciej Soltysiak wrote: > On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards > <[email protected]> wrote: >> Yes. The reddit servers (or likely, their load-balancers) are >> not following the DNS specifications. They are dropping the >> query and they should be replying. There was a draft at the IETF >> even to mark this as harmful, but it did not progress through the >> standards track, I believe. If they want to refuse the query for >> unclear reasons (what is wrong with responding NXDOMAIN?) they >> could choose from nice error codes like SERVFAIL and FORMERR and >> REFUSED. > Yup. I have a domain that goes through cloudflare. I just asked > cloudflare NSes for a name with a colon and it behaves the same > (drop) When I asked the parents, they answered. > > Cloudflare seems to do the same thing for their customers. > > If not FORMERR, they could've at least send ICMP administratively > prohibited to mark that this particular comms is not ok with them. > That would've made unbound record a failure. > > It's silly because in order to immunize your cache against this > you would have to start your own filtering... That shouldn't be the > point. > >> Unbound notices the domain does not respond to A queries. And >> marks the domain as timeouted, down, for A queries. Unbound >> stops sending A queries there to attempt to trottle down traffic >> towards that stricken server. If A queries get replies (there is >> an exponential backoff to the queries sent out) then unbound >> marks the server as responsive again (the server is considered >> back up) and queries are resumed. > Is there any unbound-control command to help in this situation? > i.e. manually override the backoff or reset it? Would flush_type > or flush_name help? unbound-control flush_infra [all | ip-address of the nameserver] This deletes the timing information so queries are sent again. You could also reduce the infra-ttl in the config, so that unbound forgets this sort of thing faster. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT+x3pAAoJEJ9vHC1+BF+NvokQAIotQO035cnQfttoejBQOOi8 YbBZow7UFuT7iLVpRqV8uol5SMNxJIhJm4Ym0gjuMkM0Ek+BGtnA8gz+68VR18m9 1GbtHsa5Q9qw+si9CpkSZk9SOH7PZkQaioSa3pDxjQzV/S09OONblFSNcGW8hufS X8MUF+3fNFwgn+GlFkPvpNJhyW6JRL1lLB7M2Qcbz1Lo/wxy4Bm2HMn88PJ+6DJd T80Ty8GluXpIetDF++cTL/GP55Haakla0v59YtP55e2FQNAyJA4KCvao3hFT85gs x1DCjBH449qMxaN22gs/b0wOQwNXdL4CDFQBKpFDuwnBmAUAQGOWQbm+Eyfqf5Uf Ge22ZsyeY/P7gx9x+0Un0+SvBuXNwEs8qjoFs0B8P3OfqUztf4MbdXp9BjsaN2Y5 BaWp2rQYOTPKzu07oEwpjkTFwMwzIWEsDIRrydTV+IACISJ7ZNQHB1SvRz2WFBAD aEVamQ7lCKYt+AWaMwZyna+jGUfMqGSzLSMKOHhHNzUxWmwjSYffoImAVwjql6le 8AfW1lJerY4xqvPVgorNhtKYgIUenGaWaj2edOZwNNMyinsB0ZsxGb1wE2uIa0LI hv6q0Xe5rKRsEr0f+KIuZI5COL7hQEzjAbjzZ9uA/Wo9BRIk6zy9CUjpHKy1RQgF 6UNKxk8vJUFL2Tkj0rGf =wsTM -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
