Without any kind of python module, we are seeing unbound returning
unvalidated answers on startup briefly.
We can reproduce this using:
service unbound stop
service unbound start
dig +dnssec nohats.ca
The first dig will not have the AD bit set, but does return the answer.
Why does this happen? How can we prevent this from happening?
Paul
Paul Wouters:
service unbound start
dig +dnssec nohats.ca
Paul,
I could not reproduce unvalidated answers using unbound-1.4.21
Empty cache, first dig take 800ms. Second dig answered from cache, 2 ms
both have AD bit set.
Andreas
Is that on a colocated machine? Or a slower DSL/cable modem box. I have
a feeling it works fine on well-connected machines, but pops up on
machines on slow/bad links.
Paul
Hoi Paul,
service unbound start dig +dnssec nohats.ca
Paul,
I could not reproduce unvalidated answers using unbound-1.4.21
Empty cache, first dig take 800ms. Second dig answered from
cache, 2 ms both have AD bit set.Is that on a colocated machine? Or a slower DSL/cable modem box. I
have a feeling it works fine on well-connected machines, but pops
up on machines on slow/bad links.
Paul, can you replicate this with verbosity high (4 or 5)? Unbound
should not do this (I am quick to point out, but it was obvious).
Something is wrong, obviously; could it be that you have two
nameservers and that your stub falls back to the second DNS server
(not this unbound) that does not perform validation?
Best regards,
Wouter
Paul Wouters:
Is that on a colocated machine? Or a slower DSL/cable modem box. I have
a feeling it works fine on well-connected machines, but pops up on
machines on slow/bad links.
tested on 100 MBit eth0 but also on a slow DSL box.
I got a validated response after 2,8s for the first request after starting unbound.
Andreas