[Unbound-users] Resolve failures when using forwarders that do recursion

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Jan 28 15:44:52 CET 2014

Hash: SHA1

Hi Florian,

I have implemented a completely different option, does that meet your
needs?  It is called delay-close: msec.  If you set eg. delay-close:
1500, then when a UDP socket timeouts that port is kept open for 1500
msec afterwards.  Meanwhile unbound continues (but a socket is still
in use) as normal.

Only the right ID, IPaddr is accepted on that port; bad packets are
added to the unwanted_replies counter.  The right ID,IP also closes
the port.

This keeps ports open for a little while longer, without impacting the
rest of unbound.

Do you like this option, or do you (also-) want me to accept your patch?

Best regards,

On 01/07/2014 09:08 AM, W.C.A. Wijngaards wrote:
> Hi Florian,
> On 01/07/2014 08:52 AM, Florian Riehm wrote:
>>> Hi,
>>> Please have a look to the attached patch. It adds a new config 
>>> option 'infra-cache-min-rtt' which makes the former constant 
>>> value of RTT_MIN_TIMEOUT adjustable. This gives the user the 
>>> opportunity to choose a reasonable retransmit timeout value.
>> Hi Wouter,
>> I'm still thinking about the problem with the infra cache
>> timeouts with forwarders. I would like to ask you about your
>> opinion of a 'right' solution for the problem. I guess adding a
>> config option (see my patch) is kinda hack, but I don't see any
>> other solution at the moment.
>> Actually I was thinking about this idea: After a timeout unbound 
>> could reuse port and query id in the second query. Then we could 
>> accept the first reply still after the second query was sent.
>> Reuse port and query id will avoid security problems with the
>> kaminsky attack. But this solution works only if the second query
>> gets send to the same server as the first. In most cases people
>> use >1 global forwarders, so it won't work. So I guess it's to
>> much work to implement this behavior if it doesn't fix the
>> problem in all cases.
>> Have you any other suggestions how we could fix this problem?
>> Have you any considerations about my patch with the
>> infra-cache-min-rtt option?
> So, the same fix as the min-rtt option, but then conditional on
> the recursiveness of the target.  So, if unbound sends a packet to
> a destination that is recursive, it uses the timeout of 1000 msec
> for it.  This gives the recursive destionation the time to perform
> the recursion before a retry.
> However this conflicts with the desire for unbound to poll a
> second recursive server, just to see if this query is in cache for
> that server.  And come back to the first one later (on a later
> reprobe), (this is the current behaviour).
> Best regards, Wouter
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Unbound-users mailing list