TLS upstream connections get closed despite keepalive

xnor xnoreq at
Thu Jul 21 12:35:57 UTC 2022


I'm running unbound 1.16.1 on Linux 5.15.55, configured to forward 
everything over TCP TLS connections.
Despite keepalive being enabled, I can see that the connections get 
closed early.
Note that the server is not busy at all.

Here are the relevant bits of the configuration:

     name: "."
     forward-tls-upstream: yes
     forward-addr: at
     forward-addr: at
     forward-addr: at
     forward-addr: at

max-reuse-tcp-queries: 2000
tcp-idle-timeout: 9000000
edns-tcp-keepalive: yes
edns-tcp-keepalive-timeout: 9000000
num-threads: 1

Packet captures show that after as few as ~30 seconds, unbound sends a 
FIN+ACK. Sometimes it sends a couple more RST packets which doesn't seem 
right either.

This, combined with the behavior that unbound wants to open connections 
to all upstream servers instead of reusing existing connections, it will 
constantly open new connections (and to make matters worse it does not 
seem to do that in the background but synchronously with incoming 
queries, blocking them) leads to many queries being needlessly delayed 
by about 80 to 180ms.

Did I do something wrong? How can I fix this?

More information about the Unbound-users mailing list