ends client subnet testing
Hello, I am testing ecs support using unbound 1.6.4 and I face the same problem that another user reported back in May 6, 2015. I have a CNAME record that is managed by my own authoritative that has edns support and with expected scope prefix-length (/16 as in my example [1]) and that record points to another CNAME which is managed by AWS DNS which responded with scope prefix-length /0. unbound cached the response with scope prefix-length /0 rather than /16 and subsequent lookups for the same record with different client-subnet got served from that cache. This is a bit surprising as it is counter-intuitive to not use the max prefix-length from the whole chain for caching responses. Is there a plan for unbound to start to implement using max prefix-length from whole chain for cache lookup? Also, when unbound caches each of the lookup for records in the chain? does it have separate cache entries for each lookup or only one entry for the RRsets for the whole chain? [1] $ dig @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7 ; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44886 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.65.177.7/32/0 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 300 IN CNAME ofetch01-syd02.svc.insnw.net. ofetch01-syd02.svc.insnw.net. 600 IN CNAME nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 13.54.22.31 nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 52.64.79.11 ;; AUTHORITY SECTION: elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-1110.awsdns-10.org. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-13.awsdns-01.com. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-1571.awsdns-04.co.uk. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-527.awsdns-01.net. ;; Query time: 1462 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 14 23:23:02 UTC 2018 ;; MSG SIZE rcvd: 324 $ dig @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138 ; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10223 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 277 IN CNAME ofetch01-syd02.svc.insnw.net. ofetch01-syd02.svc.insnw.net. 577 IN CNAME nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 13.54.22.31 nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 52.64.79.11 ;; AUTHORITY SECTION: elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-1110.awsdns-10.org. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-13.awsdns-01.com. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-1571.awsdns-04.co.uk. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-527.awsdns-01.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 14 23:23:25 UTC 2018 ;; MSG SIZE rcvd: 312 $ dig @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138 ; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11138 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 45e8e0a01ad26d47ab5fd11c5a84c51ee9a8998944593e1d (good) ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 300 IN CNAME ofetch01-fra02.svc.insnw.net. ofetch01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns2.insnw.net. insnw.net. 86400 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: 192.33.29.21#53(192.33.29.21) ;; WHEN: Wed Feb 14 23:24:14 UTC 2018 ;; MSG SIZE rcvd: 204 $ dig @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7 ; <<>> DiG 9.11.0-P3 <<>> @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7 ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36514 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not av
unbound doesn't remove pidfile
Hi,
I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the pid
file after it's stopped. I was expecting the pid file should be owned by
unbound user as otherwise unbound probably wouldn't be able to remove it;
however, I didn't see any permission errors from unbound logs. I even tried to
changed the permission of the pid file after it's created before stopping
unbound that didn't help.
root@DFW01-CPS02:~# service unbound start
* Starting DNS server unbound
[1520387664] unbound[60481:0] debug: increased limit(open files) from 1024 to
4140
[1520387664] unbound[60481:0] debug: creating udp4 socket 127.0.0.1 53
[1520387664] unbound[60481:0] debug: creating tcp4 socket 127.0.0.1 53
[1520387664] unbound[60481:0] debug: creating tcp6 socket ::1 8953
[1520387664] unbound[60481:0] debug: creating tcp4 socket 127.0.0.1 8953
[1520387664] unbound[60481:0] debug: switching log to syslog
...done.
root@DFW01-CPS02:~# ls -l /run/unbound.pid
-rw-r--r-- 1 root root 6 Mar 7 01:54 /run/unbound.pid
root@DFW01-CPS02:~# cat /run/unbound.pid
60482
root@DFW01-CPS02:~# ps -ef |grep unbound
root 60455 58318 0 01:54 pts/4 00:00:00 grep --color=auto -i unbound
unbound 60482 1 0 01:54 ? 00:00:00 /usr/sbin/unbound
root 60599 57970 0 01:55 pts/3 00:00:00 grep --color=auto unbound
root@DFW01-CPS02:~#
root@DFW01-CPS02:~# service unbound stop
* Stopping DNS server unbound
...done.
root@DFW01-CPS02:~# cat /run/unbound.pid
60482
root@DFW01-CPS02:~# ps -ef |grep unbound
root 60455 58318 0 01:54 pts/4 00:00:00 grep --color=auto -i unbound
root 60627 57970 0 01:55 pts/3 00:00:00 grep --color=auto unbound
root@DFW01-CPS02:~#root@DFW01-CPS02:~# dpkg -l unbound
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture
Description
+++-===-==-==-
ii unbound 1.5.8-1ubuntu1 amd64
validating, recursive, caching DNS resolver
Here are the log messages from unbound:root@DFW01-CPS02:~# tail -n 0 -f
/var/log/messages | grep -i unbound
Mar 7 01:54:24 DFW01-CPS02 unbound-anchor: /var/lib/unbound/root.key has
content
Mar 7 01:54:24 DFW01-CPS02 unbound-anchor: success: the anchor is ok
Mar 7 01:54:24 DFW01-CPS02 unbound: [60481:0] debug: setup SSL certificates
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chdir to /var/lib/unbound
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chroot to /var/lib/unbound
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chdir to /etc/unbound
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: drop user privileges, run
as unbound
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: module config: "validator
iterator"
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] notice: init module 0: validator
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: reading autotrust anchor
file /root.key
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: trust point . : 1
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: assembled 0 DS and 2
DNSKEYs
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: DNSKEY::
.#011172800#011IN#011DNSKEY#011257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: DNSKEY::
.#011172800#011IN#011DNSKEY#011257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b}
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: file /root.key
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: last_queried: 1520387664
Wed Mar 7 01:54:24 2018
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: last_success: 1520387664
Wed Mar 7 01:54:24 2018
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: next_probe_time:
1520427614 Wed Mar 7 13:00:14 2018
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: query_interval: 43200
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: retry_time: 8640
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: query_failed: 0
Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: [ VALID ]
.#011172800#011IN#011DNS
Re: unbound doesn't remove pidfile
From what I can see unbound init script is up-to-date. Do I need to add
override for the pidfile in unbound config? Even if I do that and it works, I
will still need to update the unbound init script as well so the easiest file
to me to update the init script to explicitly remove the pid file after unbound
is stopped. I wonder how other people running unbound in a chroot setup on
ubuntu/debian is dealing with the issue.
root@DFW01-CPS02:/etc/unbound/unbound.conf.d# cat test.conf
server:
chroot: "/var/lib/unbound"
verbosity: 9
do-not-query-localhost: no
statistics-cumulative: yes
extended-statistics: yes
interface: 127.0.0.1
python:
remote-control:
control-enable: yes
root@DFW01-CPS02:/etc/unbound/unbound.conf.d#
root@DFW01-CPS02:/etc/unbound/unbound.conf.d# cat /etc/init.d/unbound
#!/bin/sh
### BEGIN INIT INFO
# Provides: unbound
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
NAME="unbound"
DESC="DNS server"
DAEMON="/usr/sbin/unbound"
PIDFILE="/run/unbound.pid"
HELPER="/usr/lib/unbound/package-helper"
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
# Override this variable by editing or creating /etc/default/unbound.
DAEMON_OPTS=""
if [ -f /etc/default/unbound ]; then
. /etc/default/unbound
fi
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
$HELPER chroot_setup
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t
unbound-anchor
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name
$NAME --startas $DAEMON -- $DAEMON_OPTS; then
$HELPER resolvconf_start
log_end_msg 0
else
log_end_msg 1
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name
$NAME; then
$HELPER resolvconf_stop
log_end_msg 0
else
log_end_msg 1
fi
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
--retry 5
$HELPER resolvconf_stop
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name
$NAME --startas $DAEMON -- $DAEMON_OPTS; then
$HELPER chroot_setup
$HELPER resolvconf_start
log_end_msg 0
else
log_end_msg 1
fi
;;
reload)
log_daemon_msg "Reloading $DESC" "$NAME"
if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
$HELPER chroot_setup
log_end_msg 0
else
log_end_msg 1
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2
exit 1
;;
esac
exit 0
On Wednesday, March 7, 2018, 4:33:37 AM PST, Robert Edmonds via
Unbound-users wrote:
Shawn Zhou via Unbound-users wrote:
> I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the
> pid file after it's stopped.
I believe the unbound packaging on Ubuntu xenial is old enough that it
still uses the sysv generator to create the service unit. You will
probably want to add this fix to your unbound init script, which I don't
think was ever backported to xenial (it was originally added in 1.5.9-1):
https://salsa.debian.org/dns-team/unbound/commit/1c139abaa0fe58f8d97b64c96da6c3332b1b9e49
--
Robert Edmonds
edmo...@debian.org
