-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Gareth,
The lookup is really taking very long and unbound assumes that you should keep waiting for the answer. Unbound does not know what the timeout of the client is, so cannot tell it servfail. Perhaps the clients should have longer timeouts? Or how else can they insist on an answer within some time? This is not part of the DNS protocol? They are obviously broken. Now, to step back from ranting about broken other stuff, in reality, you want stuff to work. Right now unbound does not do what you want. What would work well? Best regards, Wouter On 01/15/2010 03:07 PM, Gareth Hopkins wrote: > Hi, > > I am in the process of moving a number of caching boxes to unbound. > > One thing I have noticed is the time it takes for a servfail to get > generated should a domain not be available/visible. > > Example. > > With unbound I get a timeout (which some clients see as the dns server > failing and not answering) > > # dig bagmail.com <http://bagmail.com> mx @dnscache1-ctn.is.co.za > <http://dnscache1-ctn.is.co.za> > > ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com> mx @unbound_server > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > With our current product I get a servfail. > > # dig bagmail.com <http://bagmail.com> mx @current_cache > > ; <<>> DiG 9.6.1-P2 <<>> bagmail.com <http://bagmail.com> mx > @dnscache2-ctn.is.co.za <http://dnscache2-ctn.is.co.za> > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35397 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;bagmail.com <http://bagmail.com>. IN MX > > ;; Query time: 5000 msec > > ;; WHEN: Fri Jan 15 16:00:17 2010 > ;; MSG SIZE rcvd: 29 > > The issue with this specific domain is the NS servers, ns1 and > ns2.goldkey.com <http://ns2.goldkey.com> don't exist > > bagmail.com <http://bagmail.com>. 172800 IN NS > ns1.goldkey.com <http://ns1.goldkey.com>. > bagmail.com <http://bagmail.com>. 172800 IN NS > ns2.goldkey.com <http://ns2.goldkey.com>. > > unbound-control lookup on that domain shows the following > > # unbound-control lookup bagmail.com <http://bagmail.com> > The following name servers are used for lookup of bagmail.com > <http://bagmail.com>. > ;rrset 84946 2 0 2 0 > bagmail.com <http://bagmail.com>. 171346 IN NS > ns1.goldkey.com <http://ns1.goldkey.com>. > bagmail.com <http://bagmail.com>. 171346 IN NS > ns2.goldkey.com <http://ns2.goldkey.com>. > ;rrset 84946 1 0 1 0 > ns2.goldkey.com <http://ns2.goldkey.com>. 171346 IN A > 206.83.79.29 > ;rrset 84946 1 0 1 0 > ns1.goldkey.com <http://ns1.goldkey.com>. 171346 IN A > 64.95.64.222 > Delegation with 2 names, of which 2 can be examined to query further > addresses. > It provides 2 IP addresses. > 64.95.64.222 rtt 120000 msec, 12 lost. noEDNS probed. > 206.83.79.29 rtt 120000 msec, 17 lost. noEDNS probed. > > Is there anyway to get unbound to return a servfail straight away ? > > Thanks > > Gareth > > > > _______________________________________________ > Unbound-users mailing list > Unbound-users@unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktQrrAACgkQkDLqNwOhpPiVZACdGriPMzrMz8B33NbPqlCpLWu0 x54Ani+tQFPNMip878rnwrjWKmMbDioS =c0s1 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users