[Unbound-users] Resolve failures when using forwarders that do recursion
wouter at nlnetlabs.nl
Tue Jan 28 15:44:52 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
I have implemented a completely different option, does that meet your
needs? It is called delay-close: msec. If you set eg. delay-close:
1500, then when a UDP socket timeouts that port is kept open for 1500
msec afterwards. Meanwhile unbound continues (but a socket is still
in use) as normal.
Only the right ID, IPaddr is accepted on that port; bad packets are
added to the unwanted_replies counter. The right ID,IP also closes
This keeps ports open for a little while longer, without impacting the
rest of unbound.
Do you like this option, or do you (also-) want me to accept your patch?
On 01/07/2014 09:08 AM, W.C.A. Wijngaards wrote:
> Hi Florian,
> On 01/07/2014 08:52 AM, Florian Riehm wrote:
>>> Please have a look to the attached patch. It adds a new config
>>> option 'infra-cache-min-rtt' which makes the former constant
>>> value of RTT_MIN_TIMEOUT adjustable. This gives the user the
>>> opportunity to choose a reasonable retransmit timeout value.
>> Hi Wouter,
>> I'm still thinking about the problem with the infra cache
>> timeouts with forwarders. I would like to ask you about your
>> opinion of a 'right' solution for the problem. I guess adding a
>> config option (see my patch) is kinda hack, but I don't see any
>> other solution at the moment.
>> Actually I was thinking about this idea: After a timeout unbound
>> could reuse port and query id in the second query. Then we could
>> accept the first reply still after the second query was sent.
>> Reuse port and query id will avoid security problems with the
>> kaminsky attack. But this solution works only if the second query
>> gets send to the same server as the first. In most cases people
>> use >1 global forwarders, so it won't work. So I guess it's to
>> much work to implement this behavior if it doesn't fix the
>> problem in all cases.
>> Have you any other suggestions how we could fix this problem?
>> Have you any considerations about my patch with the
>> infra-cache-min-rtt option?
> So, the same fix as the min-rtt option, but then conditional on
> the recursiveness of the target. So, if unbound sends a packet to
> a destination that is recursive, it uses the timeout of 1000 msec
> for it. This gives the recursive destionation the time to perform
> the recursion before a retry.
> However this conflicts with the desire for unbound to poll a
> second recursive server, just to see if this query is in cache for
> that server. And come back to the first one later (on a later
> reprobe), (this is the current behaviour).
> Best regards, Wouter
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Unbound-users