[Dnssec-trigger] Why Does unbound Fail on So Many Requests?

Paul Wouters paul at nohats.ca
Sun Apr 20 00:16:58 UTC 2014


On Sat, 19 Apr 2014, Garry T. Williams wrote:

>    unbound[773]: [773:1] info: validation failure t6021.network-dns-unbound-user.dnstalk.us.dlv.isc.org. DLV IN
>    unbound[773]: [773:0] info: validation failure natenom.name.dlv.isc.org. DLV IN
>    unbound[773]: [773:0] info: validation failure platform.twitter.com.dlv.isc.org. DLV IN

>    garry at vfr$ dig +dnssec t6021.network-dns-unbound-user.dnstalk.us @127.0.0.1
>
>    ; <<>> DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20 <<>> +dnssec t6021.network-dns-unbound-user.dnstalk.us @127.0.0.1
>    ;; global options: +cmd
>    ;; Got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56300

That should not happen. I've seen at times that there are timing
failures when it takes long to get to the hotspot. To test that, you can
try to restart unbound but load it with the same forwarders after you
have authenticated with the hotspot:

sudo unbound-control list_forwards
systemctl restart unbound.service
sudo unbound-control forward_add <stuff you saw at the list_forwards cmd>

and try again.

I think dnssec-trigger/unbound should have a combination to make
negative-ttl much much shorter on "enduser systems" to avoid these
kind of timing errors.

Paul



More information about the dnssec-trigger mailing list