-
-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Negative responses get cached even when setting cache-max-negative-ttl: 1
#533
Comments
If I perform these actions, everything works. The first printout shows a 1 second TTL (at step 5), for me. |
Thanks for the quick reply!
I've checked, no other config than
Might it be a misunderstading on my side?
Because the user sends a request to unbound and the unbound service dont have the domain cached so it is forwarding the request to the global DNS - thus creating a 463ms delay. Afterwards on the 2nd
Because the request was served from unbound's cache (on localhost). What i wanted to achieve is for Unbound to not cache the NXDOMAIN response after the 1st |
Yes it should then not cache it. That does not seem to happen, but if I try the option just plainly, it works for me. Something else must be wrong for you? Perhaps you do not query unbound, but another resolver like systemd, or I guessed you could be editing a different config file, because that happened to others. |
@wcawijngaards I have narrowed down the root cause, it is happening because of My config initially had:
The current situation is creating a possible "denial of service" in case that the forward-zone server is down for a moment it might result in caching of a negative result for at least Better explained here: How long does negative DNS caching typically last? So in conclusion I think |
Yes, you are correct. The negative ttl modification should precede over the global min and max ttl. Changed the code to do that. |
* nlnet/master: (118 commits) - Fix to add example.conf note for outbound-msg-retry. - Implement RFC8375: Special-Use Domain 'home.arpa.'. - Fix crosscompile script for the shared build flags. - Fix crosscompile windows to use libssp when it exists. - For the windows compile script disable gost. - Fix that on windows, use BIO_set_callback_ex instead of deprecated - Fix crosscompile shell syntax. - For crosscompile on windows, detect 64bit stackprotector library. - Fix crosscompile on windows to work with openssl 3.0.0 the link with ws2_32 needs -l:libssp.a for __strcpy_chk. Also copy results from lib64 directory if needed. - Fix more initialisation errors reported by gcc sanitizer. - Fix lock debug code for gcc sanitizer reports. - Fix initialisation errors reported by gcc sanitizer. - Fix root_anchor test to check with new icannbundle date. - Fix for NLnetLabs#41: change outbound retry to int to fix signed comparison warnings. - Small fixes for NLnetLabs#41: changelog, conflicts resolved, processQueryResponse takes an iterator env argument like other functions in the iterator, no colon in string for set_option, and some whitespace style, to make it similar to the rest. Changelog entry for NLnetLabs#538 - Fix NLnetLabs#538: Fix subnetcache statistics. Fix subnetcache statistics - Fix tcp fastopen failure when disabled, try normal connect instead. - Fix NLnetLabs#533: Negative responses get cached even when setting cache-max-negative-ttl: 1 - Fix asynclook unit test for setup of lockchecks before log. - Fix compile warning in libunbound for listen desetup routine. - Fix RPZ locks. Do not unlock zones lock if requested and rpz find zone does not find the zone. Readlock the clientip that is found for ipbased triggers. Unlock the nsdname zone lock when done. Unlock zone and ip in rpz nsip and nsdname callback. Unlock authzone and localzone if clientip found in rpz worker call. ...
Describe the bug
Negative responses get cached even when setting
cache-max-negative-ttl: 1
To reproduce
Steps to reproduce the behavior:
/etc/resolv.conf
cache-max-negative-ttl: 1
dig www.john.doe
)NXDOMAIN
log-queries
andlog-replies
)Expected behavior
As stated in unbound.conf(5):
I expect for the cache to end after
<seconds>
System:
unbound -V
output:Additional information
It is happening to me for a while now (from previous versions) and I just finally decided to write an issue about it
The text was updated successfully, but these errors were encountered: