[Unbound-users] forward-zone bug (out of query targets -- returning SERVFAIL)

Tue Nov 25 08:22:51 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dmitriy,

What is happening is that the server has blacklisted the forwarder IP
address.  Because it does not answer any queries (it has to be
unreachable for about 2 minutes or more for that to happen).

This blacklist has a TTL of 15 minutes, by default.
You can set it in the config file.

infra-host-ttl: 900   # default 900 seconds
You could set it to infra-host-ttl: 60

It would then come back up within a minute after the connection is
reestablished.

This config parameter also sets how long roundtrip times and
EDNS-support is cached.  This cache is not cleared when you do a reload
command.

So, although this all exactly explains what is happening to you.  And
there is a config setting to workaround the problem.  I do not know how
I can help to fix it.

Best regards,
   Wouter

Dmitriy Demidov wrote:
> Hi Wouter.
> 
> Looks like there is a problem with forward-zone: mechanism. If I'l setup 
> unbound for request forwarding to my ISP's DNS cache server, and during this 
> time of operations my Internet connection fails for a couple of minutes (3-7 
> min average), then unbound freazes in strange condition and do not makes any 
> queing at all until hard restarting (restarting using unbound-control do not 
> helps - only via rc.d script). In the same time, unbound continues to answer 
> for names what remained in it's cache, but if I do nslookup for something 
> what is not cached, then it says SERVFAIL in the same moment - SERVFAIL 
> without any timeout for queuing. And bad news is that unbound stays in 
> this "freaze condition" after Internet connection has been reistablished...
> 
> Internet connection do not fails physically (ethernet no-carrier) but only 
> logicaly (no respons from GW or somthing like this). 
> 
> How to repeate:
> 
> 1) start unbound in ' forward-zone name: "." ' mode
> 2) prevent it's communication with forward-addr: DNS server
> 3) wait for ~5min and make during this time a lot of resolving queues
> 4) connect internet back - unbound will stays in "freaze" 
> 
> My system is FreeBSD 7.1-PRERELEASE, unbound is compilled from ports with 
> threads and are linked with libevent-1.4.8.
> 
> ==============
> My unbound.conf
> 
> 
> server:
>         verbosity: 5
>         statistics-interval: 120
>         num-threads: 1
>         interface: 0.0.0.0
>         outgoing-range: 512
>         msg-cache-size: 16m
>         msg-cache-slabs: 4
>         num-queries-per-thread: 1024
>         rrset-cache-size: 32m
>         rrset-cache-slabs: 4
>         cache-max-ttl: 86400
>         do-ip4: yes
>         do-ip6: no
>         do-udp: yes
>         do-tcp: yes
>         do-daemonize: yes
>         access-control: 0.0.0.0/0 refuse
>         access-control: 192.168.1.0/24 allow
>         access-control: 127.0.0.0/8 allow
>         chroot: "/usr/local/etc/unbound"
>         username: "unbound"
>         directory: "/usr/local/etc/unbound"
>         logfile: "/usr/local/etc/unbound/unbound.log"
>         use-syslog: no
>         pidfile: "/usr/local/etc/unbound/unbound.pid"
>         root-hints: "/usr/local/etc/unbound/named.cache"
>         harden-glue: yes
>         do-not-query-address: 127.0.0.1/8
>         module-config: "iterator"
> remote-control:
>         control-enable: yes
>         control-interface: 0.0.0.0
> forward-zone: 
>        name: "."
>        forward-addr: 195.122.12.242
> ==========
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkrtdsACgkQkDLqNwOhpPgy1ACffkc18Zx5MO63ZcWHLXBWjCmb
BD0AoJTwRHefoWJgwVgbjbE0NfLPpTMs
=KjQQ
-----END PGP SIGNATURE-----