[Unbound-users] dig fails intermittently, but unbound-host does not
Andrew Hearn
andrew.hearn at aaisp.net.uk
Tue Mar 29 12:29:14 UTC 2011
On 29/03/11 13:16, W.C.A. Wijngaards wrote:
> Hi Andrew, Paul,
>
> On 03/29/2011 02:11 PM, Andrew Hearn wrote:
>> On 29/03/11 12:19, Paul Wouters wrote:
>>> On Tue, 29 Mar 2011, Andrew Hearn wrote:
>>>
>>>> We have version 1.3.4 on a server and have an odd, intermittent, problem
>>>> with looking up a particular record.
>>>>
>>>> We have other unbound and bind servers that don't have this problem.
>>>>
>>>> eg:
>>>>
>>>> [root at a log]# unbound-control flush farnell.com
>>>> ok
>>>> [root at a log]# dig uk.farnell.com @localhost
>>>
>>> That domain seems broken, at least from the "world view":
>>>
>>> [paul at bofh ~]$ dnscheck uk.farnell.com.
>>> 0.000: uk.farnell.com. INFO Begin testing zone uk.farnell.com. with
>>> version 1.2.1.
>>> 0.000: uk.farnell.com. INFO Begin testing delegation for uk.farnell.com..
>>> 6.008: uk.farnell.com. INFO Name servers listed at parent:
>>> dns1.cscdns.net,dns2.cscdns.net
>>> 6.168: uk.farnell.com. ERROR Failed to find name servers of
>>> uk.farnell.com./IN.
>>> 6.168: uk.farnell.com. ERROR No name servers found at child.
>>> 6.168: uk.farnell.com. INFO Done testing delegation for uk.farnell.com..
>>> 6.168: uk.farnell.com. CRITICAL Fatal error in delegation for zone
>>> uk.farnell.com..
>>> 6.168: uk.farnell.com. INFO Test completed for zone uk.farnell.com..
>>>
>>> If it works internally, perhaps one issue is that one of your servers
>>> uses the external instead
>>> of internal view?
>
> I think Paul is correct.
>
>> Thanks for the info, but I'm not sure this explains it, as:
>> unbound-host uk.farnell.com -v
>> always works, and gives answers, but
>> dig uk.farnell.com @localhost
>> is intermittent
>
>> Also, http://www.squish.net/dnscheck works each time we try
>
> That is because the first looking (has to) use the parent-side
> delegation information. But with a cache the daemon on a second lookup
> uses the child-side delegation information. unbound-host is a
> commandline tool and does the first lookup of course.
>
> In unbound 1.4.5 the approach to deal with such broken domains was
> changed significantly, making it more robust. It may work with this
> broken domain.
>
> Or, you could unbreak the domain, fix it :-)
>
> Best regards,
> Wouter
Thanks for the info Wouter.
The domain is outside our control, but I'll upgrade our Unbound.
Thanks again
--
Andrew Hearn.
AAISP Technical Support Team Leader
Tel: 03333 400999
More information about the Unbound-users
mailing list