On Tue, 15 Mar 2016 12:28+0100, Andrea Brancatelli wrote:> Hello everybody, > > we're suddenly having problems with unbound on almost all of our servers > and I cannot really understand why. > > To make a long story short, we use this forward.conf: > > root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4 > > Enabling this: > > auto-trust-anchor-file: /var/unbound/root.key > > in /etc/unbound/unbound.conf gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached > > simply disabling that line gives me this: > > root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 . > > What's going on?There's at least two possibilities: 1. Your ISP limits the use of DNS, in particular when DNSSEC is involved, or 2. The Google DNS resolvers doesn't support DNSSEC. I haven't verified the latter, but I would guess Google are competent enough to allow DNSSEC.> root at dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13 > > Thanks.-- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrest?l, | Trond Endrest?l, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gj?vik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+
Hi, the machine is connected "directly enough" (it's in a datacenter) to safely excude point 1. How can I check it with tcpdump or whatever? For point 2 I have the same exact problem adding OpenDNS in forward.conf, so I'd exclude it too. I have an interest and funny input tho: the problem happens only when resolving *.freebsd.org but doesn't happen when I try to resolve, for example, www.google.com [1]. I already know you won't be believing me (eheh), so here's a snippet: root at dbengine-ent-rm-01:/var/unbound # service local_unbound restart Stopping local_unbound. Waiting for PIDS: 52156. Starting local_unbound. root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf root at dbengine-ent-rm-01:/var/unbound # host www.freebsd.org ;; connection timed out; no servers could be reached root at dbengine-ent-rm-01:/var/unbound # host www.google.com www.google.com has address 216.58.212.68 www.google.com has IPv6 address 2a00:1450:4002:809::2004 root at dbengine-ent-rm-01:/var/unbound # unbound-anchor -l . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD 2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h 15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- ######### And then again: root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid # auto-trust-anchor-file: /var/unbound/root.key include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf root at dbengine-ent-rm-01:/var/unbound # service local_unbound restart Stopping local_unbound. Waiting for PIDS: 59561. Starting local_unbound. root at dbengine-ent-rm-01:/var/unbound # host www.freebsd.org www.freebsd.org is an alias for wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org has address 8.8.178.110 wfe0.ysv.freebsd.org has IPv6 address 2001:1900:2254:206a::50:0 wfe0.ysv.freebsd.org mail is handled by 0 . root at dbengine-ent-rm-01:/var/unbound # host www.google.com www.google.com has address 216.58.212.68 www.google.com has IPv6 address 2a00:1450:4002:809::2004 Il 2016-03-15 13:42 Trond Endrest?l ha scritto:> There's at least two possibilities: > > 1. Your ISP limits the use of DNS, in particular when DNSSEC is > involved, or > > 2. The Google DNS resolvers doesn't support DNSSEC. > > I haven't verified the latter, but I would guess Google are competent > enough to allow DNSSEC.Links: ------ [1] http://www.google.com