[Unbound-users] Problem with query

W.C.A. Wijngaards wouter at NLnetLabs.nl
Fri Sep 16 09:27:07 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 09/15/2011 10:36 PM, Paul Wouters wrote:
> On Thu, 15 Sep 2011, Robert Fleischman wrote:
> 
>> Are you SURE your server returns?  I just tried it with:
>>
>> dig +time=600 +tcp @193.110.157.136 -t ns dir.slb.com.
>>
>> And it doesn't return AT ALL.  (That is a 10 minute wait time!!)
> 
> Seems you are right. An entry in my reslv.conf sneaked through to my bind
> fallback server, which does anser with the hunderds of NS records, though
> without any additional A records.
> 
> I ran:  unbound-host dir.slb.com. -t NS -ddddd
> 
> but killed it after it had generated 100MB of data and was still looping.
> bind does return pretty quickly, though it has no additional records at
> all.
> 
> dig ns dir.slb.com @ns3.slb.com. also shows how bogus that response is.
> Many *.dir.slb.com nameservers, but not a single glue record.

Yes, it has 283 nameserver entries and 280 addresses (that I can find).
 I have tried them, but they do not reply.  They time out.

So what happens is that unbound quietly starts probing this very long
list.  It will take some time to do this.  If space becomes a problem,
this query is the oldest and gets removed.

You say that bind returns.  How does it get an answer?  None of the IPs
associated with the domain return UDP replies.  Perhaps it returns the
NS set from the referral as the answer?  Unbound refuses to do this for
security reasons.

>> I don't have any "harden" stuff on.    I do have:
>>
>> val-permissive-mode: yes
> 
> That disables all DNSSEC. Any good reason for that?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOcxZqAAoJEJ9vHC1+BF+NvXYP/jX49F543hFwr9hvBSjsVMgQ
NDugQxq7Pc1UOkJkoozJPc6f8lRLRXnm2WxNxOWwKAqF1E8bx7EJoqFnN+sWeBbt
Ulchif6HAIPgSQZAlBsKqLJn1Hpb9mxonhdzgNaYpgqHINdzLsXr6Fi3XAExnyWB
OFnZQP6SIjrZt4VkmQFUz0dTWAV/N/L3eToq/nNSJqOa5VW+ydpkakdBKO669ba/
7G2aixohRwHOz86WEphCpRUSJcP4fpByONHIruTd2MhQlymw4Af8yv0MQugro6YA
KqgIYM5NVNDZ+qYk/nXcSxydgeSPtGWTzZnGsK4bACl3lrZICT/0UyXeW+5zs4hO
wEFlIzSdUsOv8rIv5vBQvm/00xIoMyE4njum3SJtex6DxAG+3s2jI5gJ551u42jA
PmWplMKfyr5jum4mC45gNXKVz8BN++FKKAZVHLeBjo869nAK0qi1IYWl+03k+t3g
Gbv0aErGIxd2trPmjr+WQQufKNp3eZMh6gXUl3ixem9WpSNq3BDNZ7DBCIsvsqZO
xxQm/S6i4P+q9yLK/oRMkFFlCF+U4jArpkboDQVEfrfdsMxA4S562/tBI0A445x7
ocVMGrcWiGXR3zcPqj+BXvO6viFZZkgUKwYRROTPcO4PI135yWaQBGmxFWEMivpS
3FhAQKBTpaKaGyi95Mbz
=jkhw
-----END PGP SIGNATURE-----

More information about the Unbound-users mailing list