Maintained by: NLnet Labs

[Unbound-users] Unbound recursing and broken NS in RRSET.

Sander Smeenk
Tue Mar 6 15:50:01 CET 2012


i'm running Unbound 1.4.6 on Linux for my recursing needs. It came to my
attention that this Unbound does not even answer(!) queries for domains
which have at least one malfunctioning NS in their NS RRSET.

In this case it's all about recursing ''.
Please keep in mind that is running DNSSEC enabled.
My Unbound is configured to do DNSSEC verification.

Unfortunately (:P) the situation seems all normal now, all listed
nameservers seem to be responding, making this issue a tad bit harder
to reproduce.

The domain '' currently has four nameservers listed:
|     28800   IN  NS
|     28800   IN  NS
|     28800   IN  NS
|     28800   IN  NS

Subdomain '' has it's own NS RRSET,
geo[123], these seem to work just fine.

>From what i've seen, from time-to-time, seems not to
respond to queries which in turn makes recursing ''
(with no DNS cache) malfunction with Unbound like so:

| [sanders at haze:~] % dig
| ; <<>> DiG 9.8.1-P1 <<>>
| ;; global options: +cmd
| ;; connection timed out; no servers could be reached
(i would expect SERVFAIL, at least)

At the same time a BIND9 server does not seem to have any real problems
recursing the query, it just takes a little longer for the answer to
appear as it seems to skip over the not-responding host.

I found that after the neg. cache ttl expires, sometimes Unbound *is*
able to resolve the domain. This all seems to depend on what NS is first
in the RRSET returned for ''.

Friends on IRC comment that this behaviour (broken recursing with one
malfunctioning nameserver in a larger RRSET) is seen more and more,
also across different recursors...

I skimmed through RFCs 1912, 2182, 1034 and 1035 but could not really
find the proposed way to handle situations like the above.

Could someone please comment on this?

| One tequila, two tequila, three tequila, floor.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2