Skip to content

[Feat] Unbound: Refresh local-zone ipset entry TTL on subsequent queries with matching IPs in RRSet #1336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[Feat] Unbound: Refresh local-zone ipset entry TTL on subsequent queries with matching IPs in RRSet #1336

wants to merge 2 commits into from

Conversation

EngineersBox
Copy link

Background

  • DNS servers can reuse the IPs for domains, e.g., 1.2.3.4 => 4.3.2.1, and then back to 1.2.3.4 after
  • Unbound only creates a fresh ipset rule, it doesn't refresh existing entries' TTL
  • We can have a case where ipset entry's TTL is about to expire, but then the DNS server switched to that IP again. We will have a period where we have an address missing from the ipset for that domain until the DNS entry expires

See this table for example

timestamp ipset entry    DNS entry      
0          1.2.3.4 TTL 3 1.2.3.4 TTL 60
3          -              1.2.3.4 TTL 57

This means worst case scenario is DNS TTL - ipset TTL of no ipset entry presence. In the worst case scenario a 60 second RRSet entry (for example) could have an ipset entry present for only 1 second if the query finishes on the last second that the ipset contains the ip.

Note that bumping ipset TTL value itself might help reducing the occurrences, but not going to fully eliminate the problem

Solution

To make non-overlapping DNS cycles more palatable, Unbound can refresh/reset the TTL of an ipset set instead of leaving it at the current value. This applies when a DNS query responds with an IP that matches an existing ipset entry that was stored as a result of a previous DNS query

Notes

A follow up PR for a more comprehensive rework of ipset support has been raised here: #1335

@EngineersBox EngineersBox marked this pull request as draft September 13, 2025 12:33
@EngineersBox EngineersBox marked this pull request as ready for review September 13, 2025 12:55
@EngineersBox EngineersBox marked this pull request as draft September 15, 2025 14:14
@EngineersBox EngineersBox changed the title [Feat] Unbound: Refresh local-zone ipset entry TTL on subsesuent queries with matching IPs in RRSet [Feat] Unbound: Refresh local-zone ipset entry TTL on subsequent queries with matching IPs in RRSet Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@EngineersBox