[Unbound-users] bug ? atleast a difference in behaviour

Leen Besselink leen at consolejunkie.net
Sun Sep 6 17:13:31 UTC 2009 

Paul Wouters wrote:
> On Sun, 6 Sep 2009, Leen Besselink wrote:
> 
>>>> $ dig +short +norec @l.gtld-servers.net. ns2.titan.net.
>>>> 64.13.134.59
>>>>
>>>> Hope this was helpful.
>>>
>>> Are you sure you dont just have different settings for harden-glue
>>> or harden-referral-path? See if you can see the same difference
>>> when resolving an NS record for www.rbc.com (a site known to be
>>> reachable through trusting glue)
> 
>> Changing those settings doesn't matter a thing. You can try those
>> domains on your recursive DNS, if you like. :-)
> 
> Well, for me both ns1.titan.net. and ns2.titan.net, which are NS for
> both titan.net and insecure.org are unreachable. Both are in the same
> /24 too. I guess Fyodor needs a DNS admin :P
> 

That's Fyodor's problem luckily. :-)

> I'd still still you were seeing some caching on one instance of unbound
> that the other instance just did not have.
> 

The one just talks to the powerdns-recursors, I think that's the difference.

I get the same behaviour when talking directly to them, as I do below.

> Paul
> 

I just installed powerdns-recursor on my desktop to test it and it works when I do:

dig @127.0.0.1 nmap.org ns

(although it times out the first time)

it will show the titan-nameservers as the nameservers for nmap.org.

That's the difference I'm talking about.

This is the powerdns-recursor (with an empty cache):

$ dig @127.0.0.1 nmap.org ns

; <<>> DiG 9.5.1-P2 <<>> @127.0.0.1 nmap.org ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64235
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nmap.org.                      IN      NS

;; Query time: 3604 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep  6 19:11:16 2009
;; MSG SIZE  rcvd: 26
$ dig @127.0.0.1 nmap.org ns

; <<>> DiG 9.5.1-P2 <<>> @127.0.0.1 nmap.org ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37573
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;nmap.org.                      IN      NS

;; ANSWER SECTION:
nmap.org.               86390   IN      NS      ns1.titan.net.
nmap.org.               86390   IN      NS      ns2.titan.net.

;; ADDITIONAL SECTION:
ns2.titan.net.          172790  IN      A       64.13.134.59
ns1.titan.net.          172790  IN      A       64.13.134.58

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep  6 19:11:22 2009
;; MSG SIZE  rcvd: 103

This is unbound with or without an empty cache:

$ dig @172.20.1.1 nmap.org ns

; <<>> DiG 9.5.1-P2 <<>> @172.20.1.1 nmap.org ns
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

Do you see what I mean with a diffence in behaviour. :-)

More information about the Unbound-users mailing list