Maintained by: NLnet Labs

[Unbound-users] dig fails intermittently, but unbound-host does not

W.C.A. Wijngaards
Tue Mar 29 14:16:40 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andrew, Paul,

On 03/29/2011 02:11 PM, Andrew Hearn wrote:
> On 29/03/11 12:19, Paul Wouters wrote:
>> On Tue, 29 Mar 2011, Andrew Hearn wrote:
>>
>>> We have version 1.3.4 on a server and have an odd, intermittent, problem
>>> with looking up a particular record.
>>>
>>> We have other unbound and bind servers that don't have this problem.
>>>
>>> eg:
>>>
>>> [root at a log]# unbound-control flush farnell.com
>>> ok
>>> [root at a log]# dig uk.farnell.com @localhost
>>
>> That domain seems broken, at least from the "world view":
>>
>> [paul at bofh ~]$ dnscheck uk.farnell.com.
>>   0.000: uk.farnell.com. INFO Begin testing zone uk.farnell.com. with
>> version 1.2.1.
>>   0.000: uk.farnell.com. INFO Begin testing delegation for uk.farnell.com..
>>   6.008: uk.farnell.com. INFO Name servers listed at parent:
>> dns1.cscdns.net,dns2.cscdns.net
>>   6.168: uk.farnell.com. ERROR Failed to find name servers of
>> uk.farnell.com./IN.
>>   6.168: uk.farnell.com. ERROR No name servers found at child.
>>   6.168: uk.farnell.com. INFO Done testing delegation for uk.farnell.com..
>>   6.168: uk.farnell.com. CRITICAL Fatal error in delegation for zone
>> uk.farnell.com..
>>   6.168: uk.farnell.com. INFO Test completed for zone uk.farnell.com..
>>
>> If it works internally, perhaps one issue is that one of your servers
>> uses the external instead
>> of internal view?

I think Paul is correct.

> Thanks for the info, but I'm not sure this explains it, as:
>   unbound-host uk.farnell.com -v
> always works, and gives answers, but
>   dig uk.farnell.com @localhost
> is intermittent
> 
> Also, http://www.squish.net/dnscheck works each time we try

That is because the first looking (has to) use the parent-side
delegation information.  But with a cache the daemon on a second lookup
uses the child-side delegation information.  unbound-host is a
commandline tool and does the first lookup of course.

In unbound 1.4.5 the approach to deal with such broken domains was
changed significantly, making it more robust.  It may work with this
broken domain.

Or, you could unbreak the domain, fix it :-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2RzagACgkQkDLqNwOhpPiurwCfWdd4rXjB6bh33nNguUBiE57x
Oe4Ani4nNhw67ony6XDrXJYnhnKSkAgO
=6HQn
-----END PGP SIGNATURE-----