I'd like to wait until the discussion with upstream goes further before
making any changes to the default config.


On 2024/05/10 14:23, Kirill A. Korinsky wrote:
> tech@,
> 
> I'd like to offer a change in unbound default settings that prevents Unbound
> from penalty an upstream server for up to 24h.
> 
> Here a long discussion about such behaviour [1] and here the comment [2]
> where one of Unbound developer explains that behaviour.
> 
> Suggested changes switched off that "feature", and enforced Unbound to try
> to reach an upstream server for each request, that seems like an expected
> behaviour for DNS resolver.
> 
> Footnotes:
> [1]  https://github.com/NLnetLabs/unbound/issues/362
> 
> [2]  https://github.com/NLnetLabs/unbound/issues/362#issuecomment-2079235443
> 
> diff --git etc/unbound.conf etc/unbound.conf
> index b33c099d70f..c406d683d33 100644
> --- etc/unbound.conf
> +++ etc/unbound.conf
> @@ -29,6 +29,19 @@ server:
>  	#
>  	aggressive-nsec: yes
>  
> +	# Unbound penalizes the upstream server for up to 24 hours if it is
> +	# not responding particularly well. When it happens, Unbound returns
> +	# SERVFAIL for every request to that upstream server.
> +	# Here we disable this feature and set the timeout between
> +	# attempts to reach the upstream server between 2 and 15 seconds,
> +	# but make no more than 16 attempts to reach the upstream server
> +	# before returning SERVFAIL.
> +	# See: https://github.com/NLnetLabs/unbound/issues/362
> +	infra-keep-probing: yes
> +	outbound-msg-retry: 16
> +	infra-cache-min-rtt: 2000
> +	infra-cache-max-rtt: 15000
> +
>  	# Serve zones authoritatively from Unbound to resolver clients.
>  	# Not for external service.
>  	#
> 
> 
> -- 
> wbr, Kirill
>