mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
73e408f1d0
- Cached messages that reach 0 TTL are considered expired. This prevents Unbound itself from issuing replies with TTL 0 and possibly causing a thundering herd at the last second. Upstream replies of TTL 0 still get the usual pass-through but they are not considered for caching from Unbound or any of its caching modules. - 'serve-expired-reply-ttl' is changed and is now capped by the original TTL value of the record to try and make some sense when replying with expired records. - TTL decoding was updated to adhere to RFC8767 section 4 where a set high-order bit means the value is positive instead of 0.
154 lines
3.7 KiB
Text
154 lines
3.7 KiB
Text
server:
|
|
minimal-responses: no
|
|
serve-expired: yes
|
|
# The value does not matter, we will not simulate delay.
|
|
# We do not want only serve-expired because fetches from that
|
|
# apply a generous PREFETCH_LEEWAY.
|
|
serve-expired-client-timeout: 1000
|
|
serve-expired-reply-ttl: 123
|
|
# So that we can only have to give one SERVFAIL answer.
|
|
outbound-msg-retry: 0
|
|
ede: yes
|
|
ede-serve-expired: yes
|
|
|
|
forward-zone: name: "." forward-addr: 216.0.0.1
|
|
CONFIG_END
|
|
|
|
SCENARIO_BEGIN RRset from cache updates the message TTL.
|
|
|
|
STEP 1 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
; the query is sent to the forwarder - no cache yet.
|
|
STEP 2 CHECK_OUT_QUERY
|
|
ENTRY_BEGIN
|
|
MATCH qname qtype opcode
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
STEP 3 REPLY
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
; authoritative answer
|
|
REPLY QR AA RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 205 IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. 210 IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. 210 IN A 10.20.30.50
|
|
ENTRY_END
|
|
STEP 4 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 205 IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. 210 IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. 210 IN A 10.20.30.50
|
|
ENTRY_END
|
|
|
|
; Wait for the A RRSET to expire.
|
|
STEP 5 TIME_PASSES ELAPSE 205
|
|
|
|
STEP 6 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
; expired answer will not be served due to serve-expired-client-timeout.
|
|
STEP 7 CHECK_OUT_QUERY
|
|
ENTRY_BEGIN
|
|
MATCH qname qtype opcode
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
STEP 8 REPLY
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
; authoritative answer
|
|
REPLY QR AA RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 205 IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. 210 IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. 210 IN A 10.20.30.50
|
|
ENTRY_END
|
|
; The cached NS related RRSETs will not be overwritten by the fresh answer.
|
|
; The message should have a TTL of 5 instead of 205 from above.
|
|
STEP 9 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 205 IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. 5 IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. 5 IN A 10.20.30.50
|
|
ENTRY_END
|
|
|
|
; Wait for the NS RRSETs to expire.
|
|
STEP 10 TIME_PASSES ELAPSE 5
|
|
|
|
STEP 11 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD DO
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
; The message should be expired, again no expired answer at this point due to
|
|
; serve-expired-client-timeout.
|
|
STEP 12 CHECK_OUT_QUERY
|
|
ENTRY_BEGIN
|
|
MATCH qname qtype opcode
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
STEP 13 REPLY
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR RD RA SERVFAIL
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
; The SERVFAIL will trigger the serve-expired-client-timeout logic to try and
|
|
; replace the SERVFAIL with a possible cached (expired) answer.
|
|
; The A RRSET would be at 200 left but the message should have
|
|
; been updated to use a TTL of 5 so expired by now.
|
|
; If the message TTL was not updated (bug), this message would be treated as
|
|
; non-expired and the now expired NS related RRSETs would fail sanity checks
|
|
; for non-expired messages. The result would be SERVFAIL here.
|
|
STEP 14 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl ede=3
|
|
REPLY QR RD RA DO
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 200 IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. 123 IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. 123 IN A 10.20.30.50
|
|
ENTRY_END
|
|
|
|
SCENARIO_END
|