serve-expired-client-timeout: noob issue

Sat Feb 29 16:50:34 UTC 2020

I am unskilled at DNS. I have just enough knowldge to be annoying.

Ive been running Unbound at rDNS for years on a home server to get 
better performance, DNSSEC and DoTLS 1.3 using 1.1.1.1

This has worked great. Movng to 1.10.0 was uneventful.

Until... I set the serve-expired stuff to draft-ietf recommendations. 
Specifically if I set serve-expired-client-timeout:  to any value other 
then 0 ( enable it ) then after like 5 mins things stop resolving.

I get a strange issue that appears. "Number of queries dropped due to 
lack of space" shows EVERY query is dropped. This is very odd as my 
request list is near empty. This starts like 5-10 mins after starting 
Unbound.

I do have a weird config for sure tho.  I am compiling with 
--with-libevent --without-pthreads --without-solaris-threads  my conf is 
below.

daily graph

unbound.conf:

server:
    val-log-level: 1
    use-syslog: yes
    verbosity: 0
    access-control: 10.0.0.0/8 allow
    access-control: 192.168.88.0/24 allow
    access-control: 127.0.0.0/8 allow
    tls-session-ticket-keys: yes
    aggressive-nsec: yes
    cache-max-ttl: 7200
    cache-min-ttl: 360
    do-ip4: yes
    do-ip6: no
    do-tcp: yes
    harden-below-nxdomain: yes
    harden-glue: yes
    harden-referral-path: yes
    harden-large-queries: yes
    harden-dnssec-stripped: yes
    harden-short-bufsize: yes
    harden-algo-downgrade: yes
    target-fetch-policy: "4 3 2 1 0"
    hide-identity: yes
    hide-version: yes
    hide-trustanchor: yes
    root-hints: "/usr/local/etc/unbound/root.hints"
    interface: 10.1.1.7
    interface: 10.1.1.8
    interface: 10.1.1.6
    interface: 10.1.1.11
    interface: 192.168.88.50
    interface: 192.168.88.51
    outgoing-interface: 192.168.88.50
    outgoing-interface: 192.168.88.51
    outgoing-port-permit: 25000-45000
    outgoing-num-tcp: 100
    incoming-num-tcp: 30
    minimal-responses: yes
    num-threads: 6
    outgoing-range: 4096
    num-queries-per-thread: 2048
    pidfile: "/var/run/unbound.pid"
    port: 53
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    so-reuseport: yes
    tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
    use-caps-for-id: yes
    statistics-cumulative: no
    extended-statistics: yes
    statistics-interval: 0
    private-address: 10.0.0.0/8
    private-address: 192.168.88.0/24
    val-clean-additional: yes

    include: /etc/unbound/dnsbl1.conf

   serve-expired: yes
   serve-expired-ttl: 259200
   serve-expired-ttl-reset: yes
   serve-expired-reply-ttl: 30
#  serve-expired-client-timeout: 1800

# Speed tweaks
     msg-cache-slabs: 1
     rrset-cache-slabs: 1
     infra-cache-slabs: 1
     key-cache-slabs: 1
     rrset-cache-size: 100m
     msg-cache-size: 50m
     so-rcvbuf: 4m
     so-sndbuf: 4m

remote-control:
    control-enable: yes
    control-interface: 0.0.0.0
    control-use-cert: no

forward-zone:
    name: "."

#Secure DNS over TLS

    forward-tls-upstream: yes
     forward-addr: 1.1.1.1 at 853   #Cloudflare
     forward-addr: 1.0.0.1 at 853   #Cloudflare
#    forward-addr: 8.8.8.8 at 853   #Google
#    forward-addr: 8.8.4.4 at 853   #Google
#    forward-addr: 9.9.9.9 at 853   # quad9.net
#    forward-addr: 149.112.112.112 at 853 # quad9.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200229/3e06578d/attachment.htm>