Hi all, Whilst watching exim logs scroll past on an MTA of my acquaintance, I saw this: 2008-09-17 01:48:03 H=(felix.hopcount.ca) [204.152.186.101] sender verify defer for <nanog-bounces at nanog.org>: host lookup did not complete 2008-09-17 01:48:03 H=(felix.hopcount.ca) [204.152.186.101] F=<nanog-bounces at nanog.org > temporarily rejected RCPT <mjabhop at monster.hopcount.ca>: Could not complete sender verify which made me scratch my chin. The box in question is running unbound 1.0.2, installed on FreeBSD 7.0 from ports, and /etc/resolv.conf contains "nameserver 127.0.0.1". On the box in question, on an empty cache: [monster:~]% dig @127.0.0.1 nanog.org soa +short dns.merit.net. dns.merit.net. 2008090300 28800 14400 2419200 14400 [monster:~]% and [monster:~]% dig @127.0.0.1 nanog.org ns +short dns1.merit.net. dns2.merit.net. dns3.merit.net. [monster:~]% and other such things are wonderful and as expected, but [monster:~]% dig @127.0.0.1 nanog.org mx ; <<>> DiG 9.4.2 <<>> @127.0.0.1 nanog.org mx ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached [monster:~]% fails, consistently. BIND9 resolvers on the same network have no such problem: [calamari:~]% dig @127.0.0.1 version.bind ch txt +short "9.4.2-P2" [calamari:~]% dig @127.0.0.1 nanog.org mx ; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 nanog.org mx ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6129 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ;nanog.org. IN MX ;; ANSWER SECTION: nanog.org. 1800 IN MX 0 s0.nanog.org. ;; AUTHORITY SECTION: nanog.org. 9454 IN NS dns2.merit.net. nanog.org. 9454 IN NS dns3.merit.net. nanog.org. 9454 IN NS dns1.merit.net. ;; ADDITIONAL SECTION: s0.nanog.org. 12559 IN A 198.108.95.20 s0.nanog.org. 12559 IN AAAA 2001:48a8:6880:95::20 dns2.merit.net. 167854 IN A 198.109.64.250 dns3.merit.net. 167854 IN A 207.72.112.10 dns1.merit.net. 167854 IN A 198.108.1.43 ;; Query time: 1565 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 16 22:01:03 2008 ;; MSG SIZE rcvd: 204 [calamari:~]% Something seems to be going on. Unbound is logging nothing to syslog (but daemon.* is definitely being recorded; I've tested using logger(1)). I am short on ideas of other ways to gather data and figure out what is going on. Any ideas? Joe [monster:~]% uname -a FreeBSD monster.hopcount.ca 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #8: Sat Sep 6 01:12:37 UTC 2008 root at monster.hopcount.ca:/usr/obj/usr/ src/sys/GENERIC i386 [monster:~]% [monster:~]% diff -u /usr/local/etc/unbound/unbound.conf.sample \ > /usr/local/etc/unbound/unbound.conf --- /usr/local/etc/unbound/unbound.conf.sample 2008-08-15 00:49:47.000000000 +0000 +++ /usr/local/etc/unbound/unbound.conf 2008-09-17 01:33:08.000000000 +0000 @@ -33,6 +33,8 @@ # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 2001:DB8::5 + interface: 127.0.0.1 + interface: 199.212.90.6 # enable this feature to copy the source address of queries to reply. # Socket options not be supported on all platforms. experimental. @@ -47,6 +49,7 @@ # outgoing-interface: 192.0.2.153 # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 + outgoing-interface: 199.212.90.4 # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. @@ -140,6 +143,7 @@ # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow + access-control: 199.212.90.0/24 allow # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, @@ -183,7 +187,7 @@ # use-syslog: yes # the pid file. - # pidfile: "/usr/local/etc/unbound/unbound.pid" + # pidfile: "/var/run/unbound/unbound.pid" # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache [monster:~]%