Hello everybody, we're suddenly having problems with unbound on almost all of our servers and I cannot really understand why. To make a long story short, we use this forward.conf: root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. forward-zone: name: . forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 Enabling this: auto-trust-anchor-file: /var/unbound/root.key in /etc/unbound/unbound.conf gives me this: root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org ;; connection timed out; no servers could be reached simply disabling that line gives me this: root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org update.freebsd.org is an alias for update5.freebsd.org. update5.freebsd.org has address 204.9.55.80 update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 update5.freebsd.org mail is handled by 0 . What's going on? root at dbengine-ent-rm-01:/var/unbound # freebsd-version 10.2-RELEASE-p13 Thanks. -- Andrea Brancatelli Schema31 S.p.a. Responsabile IT ROMA - BO - FI - PA ITALY Tel: +39. 06.98.358.472 Cell: +39 331.2488468 Fax: +39. 055.71.880.466 Societ? del Gruppo SC31 ITALIA
On Tue, 15 Mar 2016 12:28+0100, Andrea Brancatelli wrote:> Hello everybody, > > we're suddenly having problems with unbound on almost all of our servers > and I cannot really understand why. > > To make a long story short, we use this forward.conf: > > root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4 > > Enabling this: > > auto-trust-anchor-file: /var/unbound/root.key > > in /etc/unbound/unbound.conf gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached > > simply disabling that line gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 . > > What's going on?There's at least two possibilities: 1. Your ISP limits the use of DNS, in particular when DNSSEC is involved, or 2. The Google DNS resolvers doesn't support DNSSEC. I haven't verified the latter, but I would guess Google are competent enough to allow DNSSEC.> root at dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13 > > Thanks.-- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrest?l, | Trond Endrest?l, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gj?vik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+
On 03/15/16 11:28, Andrea Brancatelli wrote:> Hello everybody, > > we're suddenly having problems with unbound on almost all of our servers > and I cannot really understand why. > > To make a long story short, we use this forward.conf: > > root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4 > > Enabling this: > > auto-trust-anchor-file: /var/unbound/root.key > > in /etc/unbound/unbound.conf gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached > > simply disabling that line gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 . > > What's going on? > > root at dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13Do you have a firewall between those machines and the Internet? Does it assume that DNS queries never use anything more than 512byte UDP packets? Does it try and rewrite data in DNS queries? Doing either of those things will cause breakage when using a DNSSEC enabled DNS resolver -- and DNSSEC support is pretty much the whole point of local_unbound. If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it should show you if you have any problems with reply lengths. Firewalls that try and modify DNS queries on the fly just need to be eradicated. It's a dumb idea and indistinguishable from certain types of malicious attack. Cheers, Matthew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160315/243e3177/attachment.sig>