[Unbound-users] Problem with query
wouter at NLnetLabs.nl
Fri Sep 16 09:27:07 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 09/15/2011 10:36 PM, Paul Wouters wrote:
> On Thu, 15 Sep 2011, Robert Fleischman wrote:
>> Are you SURE your server returns? I just tried it with:
>> dig +time=600 +tcp @22.214.171.124 -t ns dir.slb.com.
>> And it doesn't return AT ALL. (That is a 10 minute wait time!!)
> Seems you are right. An entry in my reslv.conf sneaked through to my bind
> fallback server, which does anser with the hunderds of NS records, though
> without any additional A records.
> I ran: unbound-host dir.slb.com. -t NS -ddddd
> but killed it after it had generated 100MB of data and was still looping.
> bind does return pretty quickly, though it has no additional records at
> dig ns dir.slb.com @ns3.slb.com. also shows how bogus that response is.
> Many *.dir.slb.com nameservers, but not a single glue record.
Yes, it has 283 nameserver entries and 280 addresses (that I can find).
I have tried them, but they do not reply. They time out.
So what happens is that unbound quietly starts probing this very long
list. It will take some time to do this. If space becomes a problem,
this query is the oldest and gets removed.
You say that bind returns. How does it get an answer? None of the IPs
associated with the domain return UDP replies. Perhaps it returns the
NS set from the referral as the answer? Unbound refuses to do this for
>> I don't have any "harden" stuff on. I do have:
>> val-permissive-mode: yes
> That disables all DNSSEC. Any good reason for that?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users