[Unbound-users] support of 'server' statement

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed Jun 30 15:31:20 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rok,

For me, that command also returns replies.  It could be that due to an
anycasted deployment your queries to godaddy end up somewhere else and
somehow this drops queries with EDNS (a firewall?).  Could it be your
own firewall?  Or some firewall close to you?

unbound detects servers for which EDNS queries are dropped.  It takes
time before it kicks in (because a timeout simply takes time to detect,
and more reasons in the doc/requirements.txt).  It works by IP-address,
so once ns33 is detected as such, all queries to it are sent without
EDNS, it is cached for infra-ttl seconds (configurable).

Best regards,
   Wouter

On 06/30/2010 05:08 PM, Rok Potočnik wrote:
> It seems the problem isn't at godaddy but rather somewhere in between,
> as bind list users said a couple of times, some of them get the reply using
> 
> dig +dnssec @ns33.domaincontrol.com. replacementservices.com.
> 
> The only workaround for now seems to be
> 
> forward-zone:
>         name: "replacementservices.com"
>         forward-addr: 8.8.8.8
>         forward-addr: 8.8.4.4
> ....
> 
> but doing this on our scale is quite a workout as the servers provide
> recursive replies for about 200k clients.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwrY0gACgkQkDLqNwOhpPhr/wCffGuYxPrhkN9ADUSGZSzWTph3
VDIAoK3P91sj/HUrt1+i1GjOq93vMQ1o
=d0P4
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list