ends client subnet testing
Hello, I am testing ecs support using unbound 1.6.4 and I face the same problem that another user reported back in May 6, 2015. I have a CNAME record that is managed by my own authoritative that has edns support and with expected scope prefix-length (/16 as in my example [1]) and that record points to another CNAME which is managed by AWS DNS which responded with scope prefix-length /0. unbound cached the response with scope prefix-length /0 rather than /16 and subsequent lookups for the same record with different client-subnet got served from that cache. This is a bit surprising as it is counter-intuitive to not use the max prefix-length from the whole chain for caching responses. Is there a plan for unbound to start to implement using max prefix-length from whole chain for cache lookup? Also, when unbound caches each of the lookup for records in the chain? does it have separate cache entries for each lookup or only one entry for the RRsets for the whole chain? [1] $ dig @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7 ; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.65.177.7 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44886 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 52.65.177.7/32/0 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 300 IN CNAME ofetch01-syd02.svc.insnw.net. ofetch01-syd02.svc.insnw.net. 600 IN CNAME nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 13.54.22.31 nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 60 IN A 52.64.79.11 ;; AUTHORITY SECTION: elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-1110.awsdns-10.org. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-13.awsdns-01.com. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-1571.awsdns-04.co.uk. elb.ap-southeast-2.amazonaws.com. 172800 IN NS ns-527.awsdns-01.net. ;; Query time: 1462 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 14 23:23:02 UTC 2018 ;; MSG SIZE rcvd: 324 $ dig @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138 ; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 egress01.insnw.net +subnet=52.57.28.138 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10223 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 277 IN CNAME ofetch01-syd02.svc.insnw.net. ofetch01-syd02.svc.insnw.net. 577 IN CNAME nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 13.54.22.31 nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. 37 IN A 52.64.79.11 ;; AUTHORITY SECTION: elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-1110.awsdns-10.org. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-13.awsdns-01.com. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-1571.awsdns-04.co.uk. elb.ap-southeast-2.amazonaws.com. 172777 IN NS ns-527.awsdns-01.net. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 14 23:23:25 UTC 2018 ;; MSG SIZE rcvd: 312 $ dig @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138 ; <<>> DiG 9.11.0-P3 <<>> @ns1.insnw.net egress01.insnw.net +subnet=52.57.28.138 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11138 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 45e8e0a01ad26d47ab5fd11c5a84c51ee9a8998944593e1d (good) ; CLIENT-SUBNET: 52.57.28.138/32/16 ;; QUESTION SECTION: ;egress01.insnw.net. IN A ;; ANSWER SECTION: egress01.insnw.net. 300 IN CNAME ofetch01-fra02.svc.insnw.net. ofetch01-fra02.svc.insnw.net. 600 IN A 35.156.66.126 ;; AUTHORITY SECTION: insnw.net. 86400 IN NS ns2.insnw.net. insnw.net. 86400 IN NS ns1.insnw.net. ;; ADDITIONAL SECTION: ns1.insnw.net. 86400 IN A 192.33.29.21 ns2.insnw.net. 86400 IN A 192.33.29.22 ;; Query time: 0 msec ;; SERVER: 192.33.29.21#53(192.33.29.21) ;; WHEN: Wed Feb 14 23:24:14 UTC 2018 ;; MSG SIZE rcvd: 204 $ dig @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7 ; <<>> DiG 9.11.0-P3 <<>> @ns-1110.awsdns-10.org. nlb-72fb7d7a9fecee0d.elb.ap-southeast-2.amazonaws.com. +subnet=52.65.177.7 ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36514 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not av
unbound doesn't remove pidfile
Hi, I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the pid file after it's stopped. I was expecting the pid file should be owned by unbound user as otherwise unbound probably wouldn't be able to remove it; however, I didn't see any permission errors from unbound logs. I even tried to changed the permission of the pid file after it's created before stopping unbound that didn't help. root@DFW01-CPS02:~# service unbound start * Starting DNS server unbound [1520387664] unbound[60481:0] debug: increased limit(open files) from 1024 to 4140 [1520387664] unbound[60481:0] debug: creating udp4 socket 127.0.0.1 53 [1520387664] unbound[60481:0] debug: creating tcp4 socket 127.0.0.1 53 [1520387664] unbound[60481:0] debug: creating tcp6 socket ::1 8953 [1520387664] unbound[60481:0] debug: creating tcp4 socket 127.0.0.1 8953 [1520387664] unbound[60481:0] debug: switching log to syslog ...done. root@DFW01-CPS02:~# ls -l /run/unbound.pid -rw-r--r-- 1 root root 6 Mar 7 01:54 /run/unbound.pid root@DFW01-CPS02:~# cat /run/unbound.pid 60482 root@DFW01-CPS02:~# ps -ef |grep unbound root 60455 58318 0 01:54 pts/4 00:00:00 grep --color=auto -i unbound unbound 60482 1 0 01:54 ? 00:00:00 /usr/sbin/unbound root 60599 57970 0 01:55 pts/3 00:00:00 grep --color=auto unbound root@DFW01-CPS02:~# root@DFW01-CPS02:~# service unbound stop * Stopping DNS server unbound ...done. root@DFW01-CPS02:~# cat /run/unbound.pid 60482 root@DFW01-CPS02:~# ps -ef |grep unbound root 60455 58318 0 01:54 pts/4 00:00:00 grep --color=auto -i unbound root 60627 57970 0 01:55 pts/3 00:00:00 grep --color=auto unbound root@DFW01-CPS02:~#root@DFW01-CPS02:~# dpkg -l unbound Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===-==-==- ii unbound 1.5.8-1ubuntu1 amd64 validating, recursive, caching DNS resolver Here are the log messages from unbound:root@DFW01-CPS02:~# tail -n 0 -f /var/log/messages | grep -i unbound Mar 7 01:54:24 DFW01-CPS02 unbound-anchor: /var/lib/unbound/root.key has content Mar 7 01:54:24 DFW01-CPS02 unbound-anchor: success: the anchor is ok Mar 7 01:54:24 DFW01-CPS02 unbound: [60481:0] debug: setup SSL certificates Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chdir to /var/lib/unbound Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chroot to /var/lib/unbound Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: chdir to /etc/unbound Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: drop user privileges, run as unbound Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: module config: "validator iterator" Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] notice: init module 0: validator Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] debug: reading autotrust anchor file /root.key Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: trust point . : 1 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: assembled 0 DS and 2 DNSKEYs Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: DNSKEY:: .#011172800#011IN#011DNSKEY#011257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: DNSKEY:: .#011172800#011IN#011DNSKEY#011257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: file /root.key Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: last_queried: 1520387664 Wed Mar 7 01:54:24 2018 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: last_success: 1520387664 Wed Mar 7 01:54:24 2018 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: next_probe_time: 1520427614 Wed Mar 7 13:00:14 2018 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: query_interval: 43200 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: retry_time: 8640 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: query_failed: 0 Mar 7 01:54:24 DFW01-CPS02 unbound: [60482:0] info: [ VALID ] .#011172800#011IN#011DNS
Re: unbound doesn't remove pidfile
From what I can see unbound init script is up-to-date. Do I need to add override for the pidfile in unbound config? Even if I do that and it works, I will still need to update the unbound init script as well so the easiest file to me to update the init script to explicitly remove the pid file after unbound is stopped. I wonder how other people running unbound in a chroot setup on ubuntu/debian is dealing with the issue. root@DFW01-CPS02:/etc/unbound/unbound.conf.d# cat test.conf server: chroot: "/var/lib/unbound" verbosity: 9 do-not-query-localhost: no statistics-cumulative: yes extended-statistics: yes interface: 127.0.0.1 python: remote-control: control-enable: yes root@DFW01-CPS02:/etc/unbound/unbound.conf.d# root@DFW01-CPS02:/etc/unbound/unbound.conf.d# cat /etc/init.d/unbound #!/bin/sh ### BEGIN INIT INFO # Provides: unbound # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO NAME="unbound" DESC="DNS server" DAEMON="/usr/sbin/unbound" PIDFILE="/run/unbound.pid" HELPER="/usr/lib/unbound/package-helper" test -x $DAEMON || exit 0 . /lib/lsb/init-functions # Override this variable by editing or creating /etc/default/unbound. DAEMON_OPTS="" if [ -f /etc/default/unbound ]; then . /etc/default/unbound fi case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" $HELPER chroot_setup $HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then $HELPER resolvconf_start log_end_msg 0 else log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then $HELPER resolvconf_stop log_end_msg 0 else log_end_msg 1 fi ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5 $HELPER resolvconf_stop if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then $HELPER chroot_setup $HELPER resolvconf_start log_end_msg 0 else log_end_msg 1 fi ;; reload) log_daemon_msg "Reloading $DESC" "$NAME" if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then $HELPER chroot_setup log_end_msg 0 else log_end_msg 1 fi ;; status) status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2 exit 1 ;; esac exit 0 On Wednesday, March 7, 2018, 4:33:37 AM PST, Robert Edmonds via Unbound-users wrote: Shawn Zhou via Unbound-users wrote: > I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the > pid file after it's stopped. I believe the unbound packaging on Ubuntu xenial is old enough that it still uses the sysv generator to create the service unit. You will probably want to add this fix to your unbound init script, which I don't think was ever backported to xenial (it was originally added in 1.5.9-1): https://salsa.debian.org/dns-team/unbound/commit/1c139abaa0fe58f8d97b64c96da6c3332b1b9e49 -- Robert Edmonds edmo...@debian.org