[Unbound-users] forward-zone bug (out of query targets -- returning SERVFAIL)
Aaron Hopkins
lists at die.net
Tue Nov 25 18:07:05 UTC 2008
On Tue, 25 Nov 2008, Wouter Wijngaards wrote:
> What is happening is that the server has blacklisted the forwarder IP
> address. Because it does not answer any queries (it has to be
> unreachable for about 2 minutes or more for that to happen).
Turning a 2 minute outage into a 17 minute outage by default is awful
behavior. Dmitriy is being hit particularly hard here because he's only
talking to one forwarder, but I assume this will happen just as easily with
the root, .com, etc if my internet connectivity goes down for 2 minutes but
my users are still actively trying to get somewhere new.
Blacklisting a subset of nameservers for a zone for a while is sane, as long
as you have someone left to talk to. But as soon as all possible IPs to
send a query to are marked unresponsive, you can't just decide to not do any
lookups for the zone for an extended period. Is it unreasonable to ask for
either a much shorter blacklist TTL in the all-IPs-unavailable case or do to
some form of low-volume probing (e.g. allow one query through per minute, as
a test)?
> It would then come back up within a minute after the connection is
> reestablished.
This should be the default.
> This config parameter also sets how long roundtrip times and
> EDNS-support is cached.
It is unfortunate that they are the same parameter. I'd like to increase
the caching of roundtrip times and EDNS-support, and decrease the blacklist
TTL.
-- Aaron
More information about the Unbound-users
mailing list