Caching issue in Unbound

[baknu]

Mail from @gthess on 18th of December:

It is a cached record indeed. In dev, where there was no cache for that
domain DNNSEC succeeds.
Something is wrong between celery and libunbound and the maximum ttl
setting is not honored. I didn't have time to look into why it but I
have a quick fix for now; can be deployed with the new release.

[dennisbaaten]

Earlier this week, one of our users experienced an issue where the API and the website gave a different result when running the DNSSEC test. The API was giving the wrong result, stating that the domain did not use DNSSEC. After approximately 24 hours the problem disappeared and result of the DNSSEC test on the API and the website were equal again; DNSSEC was installed just fine.

For users this is quite misleading and in cases where the API is trusted to give correct results.

I'm wondering; what is the temporary fix? And how and when will this issue be fixed permanently?

[gthess]

This seems to be an issue with celery and libunbound running on threaded mode.
The temporary solution is to not use the threaded mode. This could also be the permanent solution unless further investigation shows something else.

[baknu]

Ok, what is the downside of disabling threaded mode? Performance loss?

[gthess]

Theoretically, yes.
Technically, maybe; it depends on the OS and the CPU.
In reality for internet.nl, no. Even if there is performance loss it won't be noticeable with everything else that is going on.

[rik-openweb]

Hi, I'm the users who mentioned this issue. Can this only happen for DNSSEC tests? Or can we expect similar issues for all testcategories because the environments are different? And do you happen to have a definitive release date yet?

[gthess]

Hi, this affects DNS records in general. We configure the maximum allowed TTL in the cache to be the same as the test duration, so that when a new test starts new records will be resolved.

The bug results in the configured maximum TTL for cached records to not be honored and the default is then to keep records as long as their TTL entails.

The difference in the environments was because one environment had already cached records (and used those old ones for the test), while the other environment didn't have anything in the cache and used the freshly resolved records.

Release is going to be in 2 steps. Firstly the internet.nl website is going to be updated and at a later date the batch environment will be updated. We don't have a definitive release date that we want to advertise yet, but we are close.

[rik-openweb]

Alright. How can we stay informed of the release date?

[baknu]

This was fixed in v1.3.0: https://github.com/internetstandards/Internet.nl/releases/tag/v1.3.0