Ratelimit misbehavior
Daisuke HIGASHI
daisuke.higashi at gmail.com
Thu May 5 23:44:50 UTC 2016
Hi, Eduardo:
It seems that all nameservers of "315ye.zj.cn" (ns1.22.cn, ns2.22.cn)
are completely down and no response; In Unbound "infra" database all
NS of "315ye.zj.cn"
should be marked as "rto 120000", which means "not responsible".
$ unbound-control dump_infra | grep 315ye.zj.cn
121.12.104.72 315ye.zj.cn. ttl 4 ping 0 var 94 rtt 376 rto 120000 tA 3
tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
other 0
121.12.104.73 315ye.zj.cn. ttl 0 ping 0 var 94 rtt 376 rto 120000 tA 3
tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
other 0
218.66.171.136 315ye.zj.cn. ttl 6 ping 0 var 94 rtt 376 rto 120000 tA
3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
other 0
218.66.171.137 315ye.zj.cn. ttl 2 ping 0 var 94 rtt 376 rto 120000 tA
3 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0
other 0
In this case Unbound stops resolving names under the zone (returns
SERVFAIL for user queries) for a while.
Unbound's "ratelimit" feature ratelimits number of queries from
Unbound to nameservers,
not from user to Unbound. So my guess is: Unbound should already had
stopped resolving
"315ye.zj.cn" because all the NSs are down, so its "ratelimit" feature
no longer detect
excessive queries to "315ye.zj.cn" nameservers.
Regards,
--
Daisuke Higashi
More information about the Unbound-users
mailing list