From: Stuart Henderson Subject: Re: Prevent Unbound from penalty upstream server To: "Kirill A. Korinsky" Cc: OpenBSD tech Date: Fri, 10 May 2024 14:53:11 +0100 I'd like to wait until the discussion with upstream goes further before making any changes to the default config. On 2024/05/10 14:23, Kirill A. Korinsky wrote: > tech@, > > I'd like to offer a change in unbound default settings that prevents Unbound > from penalty an upstream server for up to 24h. > > Here a long discussion about such behaviour [1] and here the comment [2] > where one of Unbound developer explains that behaviour. > > Suggested changes switched off that "feature", and enforced Unbound to try > to reach an upstream server for each request, that seems like an expected > behaviour for DNS resolver. > > Footnotes: > [1] https://github.com/NLnetLabs/unbound/issues/362 > > [2] https://github.com/NLnetLabs/unbound/issues/362#issuecomment-2079235443 > > diff --git etc/unbound.conf etc/unbound.conf > index b33c099d70f..c406d683d33 100644 > --- etc/unbound.conf > +++ etc/unbound.conf > @@ -29,6 +29,19 @@ server: > # > aggressive-nsec: yes > > + # Unbound penalizes the upstream server for up to 24 hours if it is > + # not responding particularly well. When it happens, Unbound returns > + # SERVFAIL for every request to that upstream server. > + # Here we disable this feature and set the timeout between > + # attempts to reach the upstream server between 2 and 15 seconds, > + # but make no more than 16 attempts to reach the upstream server > + # before returning SERVFAIL. > + # See: https://github.com/NLnetLabs/unbound/issues/362 > + infra-keep-probing: yes > + outbound-msg-retry: 16 > + infra-cache-min-rtt: 2000 > + infra-cache-max-rtt: 15000 > + > # Serve zones authoritatively from Unbound to resolver clients. > # Not for external service. > # > > > -- > wbr, Kirill >