Negative cache being ignored.
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Tue Oct 17 12:17:45 UTC 2017
Hi Dylan,
Negative ttls are for negative answers, like NXDOMAIN and NOERROR/NODATA
answers. This is where that configuration option applies. The max neg
ttl setting reduces TTL values from the authority. It does not increase
them.
But this response is not an NXDOMAIN or NOERROR/NODATA, so these
configuration options actually do not apply to it. It is a failure to
get data, and Unbound has a fixed TTL of a couple seconds for that. I
think it is called NORR_TTL in util/data/msgparse.h.
Best regards, Wouter
On 17/10/17 13:54, Dylan Humphreys via Unbound-users wrote:
> Hi Everyone,
>
> I have unbound 1.6.4 installed on gentoo and doing recursive lookups.
>
> In this example, trying to lookup a CAA record for a domain:
>
>
> # time host -t CAA jhmnet.net 192.168.136.181
> Using domain server:
> Name: 192.168.136.181
> Address: 192.168.136.181#53
> Aliases:
>
> Host jhmnet.net not found: 2(SERVFAIL)
>
> real 0m3.876s
> user 0m0.008s
> sys 0m0.008s
>
> Run this again, immediately after:
>
> # time host -t CAA jhmnet.net 192.168.136.181
> Using domain server:
> Name: 192.168.136.181
> Address: 192.168.136.181#53
> Aliases:
>
> Host jhmnet.net not found: 2(SERVFAIL)
>
> real 0m0.016s
> ...
>
> Implying the cache is working as expected. (cache-max-negative-ttl: 120)
>
>
> However, after about ~9 seconds, the query goes back to taking 3-4
> seconds, implying its not. Sure enough a tcpdump on the host running
> unbound shows it trying to access the jhmnet.net Auth server(s)
>
>
> Why is unbound not respecting the 2 (120second) min max-negative-ttl?
>
>
> In the interests of testing, this server is not serving any other dns
> traffic at all.
>
> This is my configuration:
>
>
>
> ## Simple recursive caching DNS, UDP port 53
> ## unbound.conf -- https://calomel.org
> #
> server:
> access-control: 10.0.0.0/16 allow
> access-control: 127.0.0.0/8 allow
> access-control: 192.168.0.0/16 allow
> cache-max-ttl: 120
> cache-min-ttl: 0
> hide-identity: yes
> hide-version: yes
> interface: 0.0.0.0
> minimal-responses: yes
> prefetch: no
> rrset-roundrobin: yes
> use-caps-for-id: no
> verbosity: 1
> use-syslog: yes
> root-hints: /etc/unbound/root.hints
> auto-trust-anchor-file: /etc/unbound/root.key
> val-log-level: 2
> #https://www.unbound.net/documentation/howto_optimise.html
> num-threads: 2
> msg-cache-slabs: 2
> rrset-cache-slabs: 2
> infra-cache-slabs: 2
> key-cache-slabs: 2
> key-cache-size: 128m
> neg-cache-size: 256m
> rrset-cache-size: 512m
> msg-cache-size: 256m
> outgoing-range: 462
> num-queries-per-thread: 231
> so-rcvbuf: 4m
> so-sndbuf: 4m
> so-reuseport: yes
> jostle-timeout: 281
> # for cacti support
> extended-statistics: yes
> statistics-cumulative: yes
> statistics-interval: 0
>
> note: cache-max-negative-ttl: 120
>
> was set using
>
>
> # unbound-control set_option cache-max-negative-ttl: 120
>
> ok
>
> #
>
>
> Thanks in advance.
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171017/3b44f701/attachment.bin>
More information about the Unbound-users
mailing list