My workload sends lots of queries to various TLDs and public suffix
2LDs (.co.uk, ...), but non-infrastructure queries to leaf domains
are almost not repeated sufficiently often to be found in the cache.
How should I tune the cache? Ideally, (but unbound likely can't
do this), the
On Wed, May 23, 2018 at 07:56:42AM +0200, W.C.A. Wijngaards wrote:
> > I have 8 threads configured, anyone know why unbound would
> > do all the work in just one thread?
>
> Previously people that asked this, had a usage that one thread could
> satisfy. Perhaps the other cpu cores are running
I have 8 threads configured, anyone know why unbound would
do all the work in just one thread?
Build info:
# /usr/local/sbin/unbound -h
[...]
Version 1.7.1
linked libs: libevent 2.1.8-stable (it uses kqueue), OpenSSL 1.0.2o 27 Mar
2018
linked modules: dns64 respip validator iterator
When a query arrives over UDP, and no answer is available in the cache, it may
take a while to obtain an answer. After how long will unbound drop the query
and no longer provide a delayed response?
If the client timeout is shorter than that, unbound will reply to a client port
that is
Please see:
http://dnsviz.net/d/_25._tcp.mx1.marketconservative.com/WmzVYw/dnssec/
The NXDomain response contains NSEC records that cover
_tcp.mx1.marketconservative.com
but NOT
*.mx1.marketconservative.com
Here are the responses from the remote servers with RRSIGs trimmed:
On Tue, Dec 19, 2017 at 06:08:50AM +, Viktor Dukhovni wrote:
> The original coded uses non-portable undefined overflow behaviour
> for signed integer arithmetic. The compiler is free to replace
> "incep - expi > 0" with "incep > expi". The intermediate "var"
> may in some cases avoid the
On Fri, Dec 15, 2017 at 11:40:38AM +0100, W.C.A. Wijngaards wrote:
> Yes it is the compiler. Clang fails, gcc succeeds. I can make clang
> succeed with a small code change together with the removal of -O2
> (disabling clang's optimizer).
>
> The code change is instead of if(incep - expi > 0)
On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote:
> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill
> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this
> (http://0skar.cz/dns/en) test site where it reports three failures (2a,
> 2b and 4). Any
On Mon, Sep 04, 2017 at 04:01:06PM +0200, W.C.A. Wijngaards wrote:
> This version blocks .test and .invalid by default.
I see that the default local-zone type for these is "static", which
will look bogus to downstream validating resolvers. Perhaps "refuse"
would have been a better choice? Of
On Thu, Aug 24, 2017 at 05:28:28PM +0200, W.C.A. Wijngaards wrote:
> [1503588441] libunbound[20640:0] info: verify rrset
> 3645142tqk02bkonalf8lhipr7bs92k2.pat.dedyn.io. NSEC3 IN
> [1503588441] libunbound[20640:0] debug: Validating a nodata response
> [1503588441] libunbound[20640:0] debug:
I had unbound 1.6.4 listening on the loopback interface with
validation enabled. Unexpectedly, for a DNSSEC signed zone
with no MX records, the NODATA response from unbound has AD=0:
$ dig +nosplit +dnssec +ad -t mx pat.dedyn.io @127.0.0.1
; <<>> DiG 9.11.1-P3 <<>> +nosplit +dnssec +ad -t mx
On a busy unbound 1.6.2 server I observed the following sequence of events,
in which an initial query socket is closed quickly (for a retry with a
smaller EDNS0 buffer size) and ICMP unreachable is returned by the time the
answer arrives, with the retry answer finally accepted at the retry socket
On Wed, Apr 26, 2017 at 08:14:09PM -0700, Jacob Hoffman-Andrews wrote:
> I'm trying to understand Unbound's TCP fallback better. Is it expected
> that Unbound will fall back to TCP when UDP queries timeout, or only if
> it receives a truncated ANSWER?
Only when truncated as you observed.
>
On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote:
> Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
> > Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
> >
> >> Unbound 1.6.2rc1 maintainers prerelease is available:
> >> - --disable-sha1 disables SHA1
[ Perhaps dnsviz should detect and report "glueless" delegations
of NS names if that's the issue. See below. ]
On Tue, Feb 28, 2017 at 10:33:18AM +0700, battossai wrote:
> Sorry, not fully understand your explaination.
> It means NS polri.go.id is has error configuration for its DNSec ?
> Why
I waited until this week before upgrading from El Capitan to Sierra,
but perhaps that was not quite long enough... After the upgrade
"unbound" has become unusable, it stops responding under load.
Has anyone been able to build a working unbound for MacOS Sierra?
I tried using the latest libevent
I read that "stub-prime: yes" obtains the initial "NS" list from
the zone's parent as usual, but what happens after that? Is that
"NS" list effectively "frozen" for the life-time of the unbound(8)
server process, or does it get updated as the NS records change at
the zone apex?
The reason I ask
On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote:
> If secure and bogus are both not set, the message is 'insecure', i.e. it
> was not dnssec signed.
Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure.
DNSSEC Security status only applies to a response RRset or
18 matches
Mail list logo