Negative cache being ignored.

Dylan Humphreys dylan.humphreys at comodo.com
Tue Oct 17 11:54:05 UTC 2017 

Hi Everyone,

I have unbound 1.6.4 installed on gentoo and doing recursive lookups. 

In this example, trying to lookup a CAA record for a domain:




# time host -t CAA jhmnet.net 192.168.136.181 
Using domain server: 
Name: 192.168.136.181 
Address: 192.168.136.181#53 
Aliases:  

Host jhmnet.net not found: 2(SERVFAIL) 

real    0m3.876s 
user    0m0.008s 
sys     0m0.008s

Run this again, immediately after:

# time host -t CAA jhmnet.net 192.168.136.181 
Using domain server: 
Name: 192.168.136.181 
Address: 192.168.136.181#53 
Aliases:  

Host jhmnet.net not found: 2(SERVFAIL) 

real    0m0.016s
...

Implying the cache is working as expected. (cache-max-negative-ttl: 120)





However, after about ~9 seconds, the query goes back to taking 3-4 seconds, implying its not. Sure enough a tcpdump on the host running unbound shows it trying to access the jhmnet.net Auth server(s)




Why is unbound not respecting the 2 (120second) min max-negative-ttl?




In the interests of testing, this server is not serving any other dns traffic at all.

This is my configuration:







## Simple recursive caching DNS, UDP port 53 
## unbound.conf -- https://calomel.org 
# 
server: 
   access-control: 10.0.0.0/16 allow 
   access-control: 127.0.0.0/8 allow 
   access-control: 192.168.0.0/16 allow 
   cache-max-ttl: 120 
   cache-min-ttl: 0 
   hide-identity: yes 
   hide-version: yes 
   interface: 0.0.0.0 
   minimal-responses: yes 
   prefetch: no 
   rrset-roundrobin: yes 
   use-caps-for-id: no 
   verbosity: 1 
   use-syslog: yes 
   root-hints: /etc/unbound/root.hints 
   auto-trust-anchor-file: /etc/unbound/root.key 
   val-log-level: 2 
#https://www.unbound.net/documentation/howto_optimise.html 
   num-threads: 2 
   msg-cache-slabs: 2 
   rrset-cache-slabs: 2 
   infra-cache-slabs: 2 
   key-cache-slabs: 2 
   key-cache-size: 128m 
   neg-cache-size: 256m 
   rrset-cache-size: 512m 
   msg-cache-size: 256m 
   outgoing-range: 462 
   num-queries-per-thread: 231 
   so-rcvbuf: 4m 
   so-sndbuf: 4m 
   so-reuseport: yes 
   jostle-timeout: 281 
# for cacti support 
   extended-statistics: yes 
   statistics-cumulative: yes 
   statistics-interval: 0



note: cache-max-negative-ttl: 120 

was set using 




# unbound-control set_option cache-max-negative-ttl: 120


ok

#




Thanks in advance.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171017/900dde12/attachment.htm>

More information about the Unbound-users mailing list