Maintained by: NLnet Labs

[Unbound-users] Unbound v1.0.2 stopping - DNSSEC enabled

Griffiths, Chris
Wed Oct 8 05:17:46 CEST 2008


Hello,

We have been testing a resolver running Unbound 1.0.2 with DNSSEC
enabled in order to evaluate the server in a production environment.

The Unbound application would routinely stop every few hours when not
under heavy load.  We turned up verbosity to level 3 in the config file,
but the only information written to syslog was the following message:

Oct  3 20:10:28 <hostname> unbound: [27453:0] info: service stopped
(unbound 1.0.2).

We enabled DNSSEC and installed  5 trust anchors and many different keys
to test using the trusted-keys format.  The server was also configured
in a chroot environment.  We did not enable IPv6 on the server.

Here is the configuration we were testing with.  Any comments would be
most appreciated:

server:
        interface: 0.0.0.0
        port: 53
        # interface: ::0
        directory: "/etc/unbound"
        username: unbound
        chroot: "/etc/unbound"
        pidfile: "/etc/unbound/unbound.pid"
        use-syslog: yes
        verbosity: 1
        access-control:  0.0.0.0/0 allow
        # access-control: 10.0.0.0/8 allow
        # access-control: 2001:DB8::/64 allow
        # trust anchors. In separate files, to be updated from cron.
        trust-anchor-file: "/etc/unbound/anchors/br.anchor"
        trust-anchor-file: "/etc/unbound/anchors/se.anchor"
        trust-anchor-file: "/etc/unbound/anchors/bg.anchor"
        trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
        trust-anchor-file: "/etc/unbound/anchors/cz.anchor"
        # trust keys
        trusted-keys-file: "/etc/unbound/keys/ripe.keys"
        trusted-keys-file: "/etc/unbound/keys/nic.uk.keys"
        trusted-keys-file: "/etc/unbound/keys/dlv.isc.org.keys"
        trusted-keys-file: "/etc/unbound/keys/dnssec.comcast.net.keys"
        trusted-keys-file: "/etc/unbound/keys/dnsops.keys"