Disable Serving expired with ttl=0

Raman, Sankar sraman at rbbn.com
Thu Jun 29 10:26:14 UTC 2023 

Hello:



I am working on replacing libcares with unbound for my client on an OpenWrt platform. I am using async mode ( ub_resolve_async() ) for DNS queries and unbound is used as a forwarding server and not authoritative one. serve-expired is left at default which is 'no..



The issue I am facing is the application that uses unbound maintains its own cache and on expiry of ttl re-queries unbound which immediately returns an answer with ttl=0 and then sends a fresh query out. This is not desirable for our application. If the application re-queries after tt+1 second then unbound returns answer from fresh query instead serving expired with ttl=0.



1. Why does unbound return expired record with ttl=0 when serve-expired is left at default which is 'no.



2. Why does unbound always sends out new query only after 1 sec after ttl expiry instead of immediately sending new query?



Very First Query

Application ---> Query ----------------->       Unbound

                                                                                Unbound ---> Query ---> Authoritative DNS Server

                                                                                Unbound  <--- Answer (ttl = t) <--- Authoritative DNS Server

Application <--- Answer (ttl = t) < ----------Unbound



After ttl t secs expiry, Second Query

Application ---> Query ----------------->       Unbound

Application <--- Answer (ttl = 0) < ---------Unbound. (NOT DESIRABLE)

                                                                                Unbound 1 sec wait (NOT DESIRABLE)

                                                                                Unbound ---> Query ---> Authoritative DNS Server

                                                                                Unbound  <--- Answer (ttl = t) <--- Authoritative DNS Server



This process of getting back ttl=0 repeats for all subsequent re-queries on ttl expiry and Application gets orig ttl only from answer to very first query.



As can be seen from the attached wireshark, the lowest ttl=5 and my application re-queries every 5 seconds but unbound sends query out only after 6 seconds as can be seen in wireshark.



Attached unbound.conf.



Any help will be appreciated.



Thanks

Sankar Raman

Disclaimer

This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230629/1a81f092/attachment-0001.htm>
-------------- next part --------------
#
server:

 # By default Unbound does not allow Private IPs to be reverse Queried (AS112 Zones)
 # Allow them for TLS Mutual Authentication Reverse Queries
 # IPv4 Private Addresses
 local-zone: "10.in-addr.arpa." nodefault
 local-zone: "16.172.in-addr.arpa." nodefault
 local-zone: "17.172.in-addr.arpa." nodefault
 local-zone: "18.172.in-addr.arpa." nodefault
 local-zone: "19.172.in-addr.arpa." nodefault
 local-zone: "20.172.in-addr.arpa." nodefault
 local-zone: "21.172.in-addr.arpa." nodefault
 local-zone: "22.172.in-addr.arpa." nodefault
 local-zone: "23.172.in-addr.arpa." nodefault
 local-zone: "24.172.in-addr.arpa." nodefault
 local-zone: "25.172.in-addr.arpa." nodefault
 local-zone: "26.172.in-addr.arpa." nodefault
 local-zone: "27.172.in-addr.arpa." nodefault
 local-zone: "28.172.in-addr.arpa." nodefault
 local-zone: "29.172.in-addr.arpa." nodefault
 local-zone: "30.172.in-addr.arpa." nodefault
 local-zone: "31.172.in-addr.arpa." nodefault
 local-zone: "168.192.in-addr.arpa." nodefault

 # IPv6 Local Addresses
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "8.e.f.ip6.arpa." nodefault
local-zone: "9.e.f.ip6.arpa." nodefault
local-zone: "a.e.f.ip6.arpa." nodefault
local-zone: "b.e.f.ip6.arpa." nodefault
# IPv6 Example Prefix
local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault

cache-max-negative-ttl: 5
prefetch: yes
serve-original-ttl: yes

############ END OF LOCAL-ZONE CONFIG ############
############   END OF SERVER CONFIG   ############

forward-zone: # Primary & Secondary DNS Servers
	name: "."
	forward-addr: 192.168.50.12
root at SweLite-214:~# 















-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound-wireshark.pcapng
Type: application/octet-stream
Size: 4344 bytes
Desc: unbound-wireshark.pcapng
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230629/1a81f092/attachment-0001.obj>

More information about the Unbound-users mailing list