[Unbound-users] Setting max-time before servfail
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Tue Jan 19 08:01:51 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Gareth,
So, I am not arguing about the customer pleasing part. That sounds
good. My trouble is how to do that.
max-time-before-servfail: 1 second is an option that I could possibly add.
But my question (to the others on the list:) is that a good idea? Could
that be a good default?
Basically 2-second lookups are then no longer possible, since you get
servfail after 1 second. (Hopefully the 2 second lookup ends up into
the cache and thus can be queried later).
Does the customer actually see a different response from their
internet-app? I understand we are the small guys here and changing,
say, IE display of error reports is not an option.
Best regards,
Wouter
On 01/18/2010 05:37 PM, Gareth Hopkins wrote:
> Hi Wouter,
>
> I am extremely happy with the way unbound works and thank-you very much
> for the work that you
> have done.
>
> I'm just not looking forward to the customer queries about why "no dns
> servers could be reached"
> and other odd error messages. Trying to explain to Joe Public about how
> name servers are
> in fact broken and that is why they don't get the response they expect
> is always challenging.
> Their reply is usually "but if I use opendns or googledns it answers"
> (never mind the fact that they
> are still answering with a servfail.)
>
> An example I am seeing on one of the unbound caches is as follows.
>
> The nameservers for 233.165.in-addr.arpa are broken
>
> <snip>
>
> 233.165.in-addr.arpa. 59408 IN NS dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>.
> 233.165.in-addr.arpa. 59408 IN NS jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>.
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 133 bytes from 165.233.48.99#53(jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>) in 21 ms
>
> 233.165.in-addr.arpa. 82036 IN NS jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>.
> 233.165.in-addr.arpa. 82036 IN NS dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>.
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 133 bytes from 165.233.152.114#53(dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>) in 35 ms
>
> 233.165.in-addr.arpa. 59408 IN NS dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>.
> 233.165.in-addr.arpa. 59408 IN NS jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>.
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 133 bytes from 165.233.48.99#53(jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>) in 20 ms
>
> 233.165.in-addr.arpa. 82036 IN NS jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>.
> 233.165.in-addr.arpa. 82036 IN NS dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>.
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 133 bytes from 165.233.152.114#53(dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>) in 33 ms
>
> 233.165.in-addr.arpa. 59408 IN NS dbndns1.ifusion.co.za
> <http://dbndns1.ifusion.co.za>.
> 233.165.in-addr.arpa. 59408 IN NS jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>.
> ;; BAD (HORIZONTAL) REFERRAL
> ;; Received 133 bytes from 165.233.48.99#53(jhbdns1.ifusion.co.za
> <http://jhbdns1.ifusion.co.za>) in 21 ms
>
> </snip>
>
> A unbound-control dump_requestlist shows the following.
>
> 232 PTR IN 17.75.233.165.in-addr.arpa. 117.590562 iterator wait for
> 165.233.48.99
> 233 PTR IN 18.75.233.165.in-addr.arpa. 106.083322 iterator wait for
> 165.233.48.99
> 234 PTR IN 19.75.233.165.in-addr.arpa. 110.606661 iterator wait for
> 165.233.48.99
> 235 PTR IN 20.75.233.165.in-addr.arpa. 116.093442 iterator wait for
> 165.233.48.99
> 236 PTR IN 21.67.233.165.in-addr.arpa. 105.611471 iterator wait for
> 165.233.48.99
> 237 PTR IN 21.75.233.165.in-addr.arpa. 115.076346 iterator wait for
> 165.233.48.99
> 238 PTR IN 22.75.233.165.in-addr.arpa. 114.074878 iterator wait for
> 165.233.48.99
> 239 PTR IN 23.75.233.165.in-addr.arpa. 113.083954 iterator wait for
> 165.233.48.99
> 240 PTR IN 24.75.233.165.in-addr.arpa. 112.056811 iterator wait for
> 165.233.48.99
> 241 PTR IN 25.75.233.165.in-addr.arpa. 111.071265 iterator wait for
> 165.233.48.99
> 242 PTR IN 26.75.233.165.in-addr.arpa. 110.086471 iterator wait for
> 165.233.48.99
> 243 PTR IN 27.75.233.165.in-addr.arpa. 109.110294 iterator wait for
> 165.233.48.99
> 244 PTR IN 28.74.233.165.in-addr.arpa. 60.251117 iterator wait for
> 165.233.48.99
> 245 PTR IN 28.75.233.165.in-addr.arpa. 108.101261 iterator wait for
> 165.233.48.99
> 246 PTR IN 29.75.233.165.in-addr.arpa. 107.636158 iterator wait for
> 165.233.48.99
>
> Would it be possible to get unbound to send a servfail if all
> nameservers give a bad referral ? The above
> seems to indicate it will continue trying until it gets the data it is
> looking for, but in this case it never will and
> the query times out. The same query against google dns gives a servfail.
>
> unbound cache
>
> # time dig 24.75.233.165.in-addr.arpa PTR @dnscache1-ctn.is.co.za
> <http://dnscache1-ctn.is.co.za>
>
> ; <<>> DiG 9.6.1-P2 <<>> 24.75.233.165.in-addr.arpa PTR
> @dnscache1-ctn.is.co.za <http://dnscache1-ctn.is.co.za>
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> real 0m15.285s
> user 0m0.000s
> sys 0m0.012s
>
> google cache
>
> # time dig 24.75.233.165.in-addr.arpa PTR @8.8.8.8 <http://8.8.8.8>
>
> ; <<>> DiG 9.6.1-P2 <<>> 24.75.233.165.in-addr.arpa PTR @8.8.8.8
> <http://8.8.8.8>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33284
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;24.75.233.165.in-addr.arpa. IN PTR
>
> ;; Query time: 577 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Jan 18 18:32:30 2010
> ;; MSG SIZE rcvd: 44
>
>
> real 0m0.585s
> user 0m0.008s
> sys 0m0.001s
>
> Thanks again
>
> Cheers
>
> Gareth
>
> On Fri, Jan 15, 2010 at 8:06 PM, W.C.A. Wijngaards <wouter at nlnetlabs.nl
> <mailto:wouter at nlnetlabs.nl>> wrote:
>
> Hi Gareth,
>
> The lookup is really taking very long and unbound assumes that you
> should keep waiting for the answer. Unbound does not know what the
> timeout of the client is, so cannot tell it servfail.
>
> Perhaps the clients should have longer timeouts? Or how else can they
> insist on an answer within some time? This is not part of the DNS
> protocol? They are obviously broken.
>
> Now, to step back from ranting about broken other stuff, in reality, you
> want stuff to work. Right now unbound does not do what you want. What
> would work well?
>
> Best regards,
> Wouter
>
> On 01/15/2010 03:07 PM, Gareth Hopkins wrote:
>> Hi,
>
>> I am in the process of moving a number of caching boxes to unbound.
>
>> One thing I have noticed is the time it takes for a servfail to get
>> generated should a domain not be available/visible.
>
>> Example.
>
>> With unbound I get a timeout (which some clients see as the dns server
>> failing and not answering)
>
>> # dig bagmail.com <http://bagmail.com> <http://bagmail.com> mx
> @dnscache1-ctn.is.co.za <http://dnscache1-ctn.is.co.za>
>> <http://dnscache1-ctn.is.co.za>
>
>> ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com>
> <http://bagmail.com> mx @unbound_server
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>
>> With our current product I get a servfail.
>
>> # dig bagmail.com <http://bagmail.com> <http://bagmail.com> mx
> @current_cache
>
>> ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com>
> <http://bagmail.com> mx
>> @dnscache2-ctn.is.co.za <http://dnscache2-ctn.is.co.za>
> <http://dnscache2-ctn.is.co.za>
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35397
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>> ;; QUESTION SECTION:
>> ;bagmail.com <http://bagmail.com> <http://bagmail.com>.
> IN MX
>
>> ;; Query time: 5000 msec
>
>> ;; WHEN: Fri Jan 15 16:00:17 2010
>> ;; MSG SIZE rcvd: 29
>
>> The issue with this specific domain is the NS servers, ns1 and
>> ns2.goldkey.com <http://ns2.goldkey.com> <http://ns2.goldkey.com>
> don't exist
>
>> bagmail.com <http://bagmail.com> <http://bagmail.com>.
> 172800 IN NS
>> ns1.goldkey.com <http://ns1.goldkey.com> <http://ns1.goldkey.com>.
>> bagmail.com <http://bagmail.com> <http://bagmail.com>.
> 172800 IN NS
>> ns2.goldkey.com <http://ns2.goldkey.com> <http://ns2.goldkey.com>.
>
>> unbound-control lookup on that domain shows the following
>
>> # unbound-control lookup bagmail.com <http://bagmail.com>
> <http://bagmail.com>
>> The following name servers are used for lookup of bagmail.com
> <http://bagmail.com>
>> <http://bagmail.com>.
>> ;rrset 84946 2 0 2 0
>> bagmail.com <http://bagmail.com> <http://bagmail.com>. 171346
> IN NS
>> ns1.goldkey.com <http://ns1.goldkey.com> <http://ns1.goldkey.com>.
>> bagmail.com <http://bagmail.com> <http://bagmail.com>. 171346
> IN NS
>> ns2.goldkey.com <http://ns2.goldkey.com> <http://ns2.goldkey.com>.
>> ;rrset 84946 1 0 1 0
>> ns2.goldkey.com <http://ns2.goldkey.com> <http://ns2.goldkey.com>.
> 171346 IN A
>> 206.83.79.29
>> ;rrset 84946 1 0 1 0
>> ns1.goldkey.com <http://ns1.goldkey.com> <http://ns1.goldkey.com>.
> 171346 IN A
>> 64.95.64.222
>> Delegation with 2 names, of which 2 can be examined to query further
>> addresses.
>> It provides 2 IP addresses.
>> 64.95.64.222 rtt 120000 msec, 12 lost. noEDNS probed.
>> 206.83.79.29 rtt 120000 msec, 17 lost. noEDNS probed.
>
>> Is there anyway to get unbound to return a servfail straight away ?
>
>> Thanks
>
>> Gareth
>
>
>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net <mailto:Unbound-users at unbound.net>
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net <mailto:Unbound-users at unbound.net>
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAktVZu8ACgkQkDLqNwOhpPjEYgCeOOL3oicO2yVviigq5dc6qiNd
cjsAoKHNEP41nc90f2rNOAxNQAXHm0hZ
=L+2t
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list