On 2015-11-03 05:57, W.C.A. Wijngaards via Unbound-users wrote:
No, there is no option to disable the CNAME checks. The trust in the other nameserver is by the way not enough reason to have used such an option, it is protection against inserted spoofed packets here that has mandated the checks.
I'm having trouble wrapping my head around this one, why are CNAMEs different in regards to spoofing?
I understand why the resolver wants to do sanity-checking, but are these records more vulnerable to spoofing than in the general case of trusting an upstream resolver implicitly?
Consider enabling prefetch: yes (and prefetch-key: yes) in unbound.conf, for commonly asked queries that will make it prefetch a couple seconds before expiry to refresh the cache entry, and that should be enough to hide this latency for a larger number of queries.
When I was in a similar situation a few months back, prefetching made a *big* difference. However, only for names that are accessed by multiple clients. There were cases where one client was frequently accessing the same resource (but no others) and these still expired without getting prefetched due to the client side caching.
Such is life.
Another option, but less desirable, is cache-min-ttl where you can force entries to stay in the cache for a longer time (i.e. that CNAME was from a CDN with very short TTLs).
Within a very reasonable ceiling. Perhaps 300 seconds might be the largest cache-min-TTL that one might consider.
-- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
