HI!
Thanks for developing unbound.
Normally unbound gives me no headache at all. So my unbound debugging
skills are zero.
I currently see problems resolving domain yahoodns.net through unbound.
It perfectly works with PowerDNS recursor.
Am I the only one seeing this issue?
Many thanks in advance.
Ciao, Michael.
---------------------- snip ----------------------
With unbound 1.10.0:
$ host -t ns yahoodns.net. 10.1.1.25
Using domain server:
Name: 10.1.1.25
Address: 10.1.1.25#53
Aliases:
Host yahoodns.net. not found: 3(NXDOMAIN)
Seems no:
# dig yahoodns.net
; <<>> DiG 9.11.8 <<>> yahoodns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65372
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;yahoodns.net. IN A
;; AUTHORITY SECTION:
yahoodns.net. 3600 IN SOA hidden-master.yahoo.com.
hostmaster.yahoo-inc.com. 2020041604 3600 900 604800 600
;; Query time: 964 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 21 19:57:46 +06 2020
;; MSG SIZE rcvd: 121
Same shame.
21.04.2020 19:46, Michael Ströder via Unbound-users пишет:
a message of 43 lines which said:
Am I the only one seeing this issue?
Yes 
My Unbound has no problem.
% dig NS yahoodns.net
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> NS yahoodns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12877
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 36e307658f7303dfc1ca2a965e9efdd2bca1f2ef71008c37 (good)
;; QUESTION SECTION:
;yahoodns.net. IN NS
;; ANSWER SECTION:
yahoodns.net. 93412 IN NS ns4.yahoo.com.
yahoodns.net. 93412 IN NS ns5.yahoo.com.
yahoodns.net. 93412 IN NS ns1.yahoo.com.
yahoodns.net. 93412 IN NS ns2.yahoo.com.
yahoodns.net. 93412 IN NS ns3.yahoo.com.
;; ADDITIONAL SECTION:
ns1.yahoo.com. 164424 IN A 68.180.131.16
ns2.yahoo.com. 61959 IN A 68.142.255.16
ns3.yahoo.com. 132058 IN A 27.123.42.42
ns4.yahoo.com. 216224 IN A 98.138.11.157
ns5.yahoo.com. 78031 IN A 202.165.97.53
ns1.yahoo.com. 86197 IN AAAA 2001:4998:130::1001
ns2.yahoo.com. 61037 IN AAAA 2001:4998:140::1002
ns3.yahoo.com. 1597 IN AAAA 2406:8600:f03f:1f8::1003
ns5.yahoo.com. 86197 IN AAAA 2406:2000:ff60::53
;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 21 16:06:10 CEST 2020
;; MSG SIZE rcvd: 573
Which version are you running?
Ciao, Michael.
likely it's not only unbounds fault:
$ zonemaster-cli yahoodns.net
Seconds Level Message
======= ========= =======
21.71 NOTICE Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond to NS query.
71.99 ERROR Nameserver ns5.yahoo.com/2406:2000:ff60::53 not accessible over UDP on port 53.
82.01 ERROR Nameserver ns1.yahoo.com/2001:4998:130::1001 not accessible over TCP on port 53.
92.02 ERROR Nameserver ns1.yahoo.com/68.180.131.16 not accessible over TCP on port 53.
116.30 ERROR Nameserver ns5.yahoo.com/202.165.97.53 not accessible over TCP on port 53.
126.32 ERROR Nameserver ns5.yahoo.com/2406:2000:ff60::53 not accessible over TCP on port 53.
129.73 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.73 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.76 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.76 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.79 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.79 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.82 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
129.82 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
130.33 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
130.34 WARNING Nameserver ns5.yahoo.com/2406:2000:ff60::53 did not respond.
130.39 NOTICE There are neither DS nor DNSKEY records for the zone.
130.40 NOTICE The zone is not signed with DNSSEC.
130.83 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for xn--nameservertest.iis.se.
130.83 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for xn--nameservertest.icann.org.
130.84 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for xn--nameservertest.ripe.net.
144.36 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
180.59 NOTICE Nameserver ns5.yahoo.com/2406:2000:ff60::53 dropped AAAA query.
189.73 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
195.88 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
196.39 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
196.81 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
197.48 WARNING No response from ns5.yahoo.com/2406:2000:ff60::53 asking for yahoodns.net.
198.35 NOTICE SOA 'mname' nameserver (hidden-master.yahoo.com) is not listed in "parent" NS records for tested zone (ns1.yahoo.com;ns2.yahoo.com;ns3.yahoo.com;ns4.yahoo.com;ns5.yahoo.com).
198.35 NOTICE SOA 'refresh' value (3600) is less than the recommended one (14400).
198.36 NOTICE SOA 'retry' value (900) is less than the recommended one (3600).
$ kdig version.bind. txt ch +short
"unbound 1.10.0"
but even a cold cache find the expected data here:
# killall unbound ; sleep 1 ; kdig yahoodns.net. ns +short
ns4.yahoo.com.
ns5.yahoo.com.
ns1.yahoo.com.
ns3.yahoo.com.
ns2.yahoo.com.
Andreas
I haven't looked at this particular issue at all, but in the past I have seen individual nameservers that are authoritative for particular zones drop in and out during periods of high traffic or instability (e.g. attack, routing oscillations, flash crowds, other issues).
The stock configuration of the unbound packages I have used over the years has seemed to me to be quite aggressive at penalising nameservers that are unavailable to avoid repeated queries; I have definitely seen examples where all the nameservers for a particular domain are penalised simultaneously because they have been individually unavailable during a short period, even though there had not been a time where all of the nameservers were unavailable simultaneously (to the extent that I could tell).
This is observation is highly anecdotal and not supported by data but I thought I'd mention it anyway
Joe
I fully agree. I've same experiences but can't translate them so I didn't rise my hand before...
Andreas