Bug 1193 - unbound didn't send OPT for more than 3 hours for all queries
unbound didn't send OPT for more than 3 hours for all queries
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.4.20
x86_64 Linux
: P5 major
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-22 08:24 CET by Colin Zhang
Modified: 2016-12-26 08:15 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Zhang 2016-12-22 08:24:21 CET
Hi, Unbound team,

Unbound was used in the same way mentioned in "Bug 715 "(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=715).

The DNS query will go through: client -> unbound -> external DNS.
The clients always will include OPT with "DO bit" is 0, and unbound will update its to 1(refer to the example at the end).

We have a observation that unbound didn't send DNS query with OPT for more than 3 hours for all domains, but the OPT was included before and after this 3+ hours period.

Is this expected? What's the logic here to control when to include OPT?

e.g.
a) client->unbound:

Frame 10906: 120 bytes on wire (960 bits), 120 bytes captured (960 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 33461 (33461), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 10925]
    Transaction ID: 0xafe4
    Flags: 0x0100 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 8192
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0


b) unbound->DNS server

Frame 10909: 120 bytes on wire (960 bits), 120 bytes captured (960 bits)
Linux cooked capture
User Datagram Protocol, Src Port: 45692 (45692), Dst Port: domain (53)
Domain Name System (query)
    Transaction ID: 0x4a75
    Flags: 0x0110 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
Comment 1 Ralph Dolmans 2016-12-22 11:53:26 CET
Hi,

Unbound has a fallback mechanism to send queries without OPT record when it detects that upstream only properly answers to queries without EDNS. This might be because upstream drops queries containing EDNS, or because it answers with FORMERR or NOTIMP.

Regards,
-- Ralph
Comment 2 Colin Zhang 2016-12-22 13:42:33 CET
yes, got a FORMERR then unbound tried again w/o OPT.

when unbound will add OPT again? Or it won't add that after one failure.

Thanks Ralph!
Comment 3 Ralph Dolmans 2016-12-23 16:04:58 CET
Hi Colin,

The hosts' EDNS support is stored in the infra cache. Unbound will try again with EDNS when the host is expired from cache. This is 15 minutes by default and configurable using infra-host-ttl.

Regards,
-- Ralph
Comment 4 Colin Zhang 2016-12-26 08:15:40 CET
Thanks Ralph!
We didn't reset infra-host-ttl, so it should be 15 minutes.
Any other factors will impact "the host is expired from cache" since we didn't saw it in the all requests more than 3 hours?