outbound-msg-retry definition query

ashok_athukuri · July 11, 2022, 10:51am

Hello All,

As per https://nlnetlabs.nl/documentation/unbound/unbound.conf/

outbound-msg-retry: *<number>*
            The number of retries Unbound will do in case of  a  non  positive
            response is received. If a forward nameserver is used, this is the
            number of retries per forward nameserver in case of throwaway  re-
            sponse.

what is “non positive” response here SERVFAIL or NXDOMAIN or BOTH?

Thanks,
Ashok

Joe_Abley · July 11, 2022, 11:27am

As per https://nlnetlabs.nl/documentation/unbound/unbound.conf/

outbound-msg-retry: *<number>*
            The number of retries Unbound will do in case of  a  non  positive
            response is received. If a forward nameserver is used, this is the
            number of retries per forward nameserver in case of throwaway  re-
            sponse.

what is “non positive” response here SERVFAIL or NXDOMAIN or BOTH?

I have not read the code in this instance but I would normally interpret “non-positive response” to mean “RCODE is not NOERROR”.

(There is a particular kind of response which is considered negative in some circumstances where RCODE == NOERROR and the answer section is empty, but I do not think this is one of those circumstances.)

Joe

jan · July 11, 2022, 1:49pm

Hi all,

I think a non-positive reply is any reply that is not directly related to the DNS query itself. NOERROR and NXDOMAIN are (positive) responses that are directly related, as they answer the query. All other response codes are related to other circumstances, such as network issues, ACLs, misconfigurations, and misformatted packets.

Regards,

Jan.

Joe_Abley · July 11, 2022, 5:18pm

I think a non-positive reply is any reply that is not directly related to the DNS query itself. NOERROR and NXDOMAIN are (positive) responses that are directly related, as they answer the query.

Oh, I agree with that. And a name error is cacheable which in this context surely illustrates that it does not represent a failure to send a query or receive a response.

All other response codes are related to other circumstances, such as network issues, ACLs, misconfigurations, and misformatted packets.

I suppose there's an element of this that depends on the intent and purpose of the query which is not necessarily evident. A query that is sent in order to test an ACL and elicits a REFUSED response might be positive, if your goal is to confirm that the query is blocked. I appreciate that's almost certainly not the intention from the perspective of unbound or its administrator.

Joe

George_Yorgos_Thessa · July 12, 2022, 10:54am

Hi all,

I believe we can improve the text here to read:

"The number of retries Unbound will do in case of timeouts and non usable responses."

Is that more clear?

Btw as already mentioned NXDOMAIN is a usable response that terminates the query.

Best regards,
-- George

Joe_Abley · July 12, 2022, 10:59am

I think it is if "usable query" is also defined

Joe

George_Yorgos_Thessa · July 12, 2022, 1:28pm

How about the text below as a whole?

"The number of retries, per upstream nameserver in a delegation, that Unbound will attempt in case a throwaway response is received. No response (timeout) contributes to the retry counter. If a forward/stub zone is used, this is the number of retries per nameserver in the zone. Default is 5."

Best regards,
-- George