Maintained by: NLnet Labs

[Unbound-users] Old or incorrect information returned?

Haw Loeung
Fri Nov 6 13:44:53 CET 2009

On Fri, Nov 6th, 2009 at 6:30 PM, "W.C.A. Wijngaards" <wouter at> wrote:
> The TTL on the A record seems to be originally 86400 (24h).
> Thus if unbound sees the record just before it is changed, the
> old data stays around for 24 hours.  Unbound has a builtin
> cap that bounds this caching on a 24 hour term (by coincidence
> exactly the same value as the TTL on  You see
> it with a 5h ttl, so, unbound saw it 19h before.  This is
> exactly according to DNS spec.

But the NS records returned are still that of the old hosting providers. Let me try and explain it 

For both domains, they have changed hosting providers and have redelegated their domains to the 
new providers. They are not our customers but have noticed that our users are having problems 
accessing their website because our resolvers are still returning old, and incorrect, information so 
therefore our users are not hitting their new webservers.

They then contact us asking why this is the case and complain that other ISPs are returning the 
new, and _correct_, information about their domain.

Our staff member does a dig, then waits a day making sure that the TTL reaches 0 and our 
resolvers *should* lookup the latest information. But somewhere it is caching old NS records.

So for, it has already been delegated away to and as shown below:

$ dig any

; <<>> DiG 9.6.1 <<>> any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2437
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;                  IN      ANY

;; AUTHORITY SECTION:           14400   IN      NS           14400   IN      NS           14400   IN      NS           14400   IN      NS

;; ADDITIONAL SECTION: 14400  IN      A 14400  IN      A

;; Query time: 160 msec
;; WHEN: Fri Nov  6 23:39:02 2009
;; MSG SIZE  rcvd: 162

But the dig results I provided previously shows something different.

> If you want things in unbound cache to be flushed out earlier
> than the owner intended, you can set cache-max-ttl: 86400
> to a lower value instead of restarting every day.

I had lowered this value previously and still received reports about other domains.

> It could also be a bug where due to a miscalculation inside
> the resolver the TTL becomes -1 (or infinite), but although
> such a bug is fixed recently (in svn trunk) for DNSSEC bogus
> messages, my guess is you are not DNSSEC validating.

Yeah, we're not doing DNSSEC validation just yet (that's on our TODO list). We've had this problem 
with other domains and so I tried using revision 1853.

$ svn info
Path: .
Repository Root:
Repository UUID: be551aaa-1e26-0410-a405-d3ace91eadb9
Revision: 1853
Node Kind: directory
Schedule: normal
Last Changed Author: wouter
Last Changed Rev: 1853
Last Changed Date: 2009-09-26 01:20:29 +1000 (Sat, 26 Sep 2009)

Haw Loeung
Systems Administrator
TPG Internet