Maintained by: NLnet Labs

[Unbound-users] A few ideas and questions

W.C.A. Wijngaards
Wed Sep 17 08:33:05 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Teran,

Teran McKinney wrote:
> Every few days or so Unbound (on the VPN server) would stop forwarding
> requests to my router's Unbound instance, but generally (not certain
> if always), the ".el" zone would still resolve over the other server,
> which is just an authoritive server. Unbound would return SERVFAILs,
> but still be reachable. I turned on debugging and had to wait quite
> some time for it to stop working again; it took quite a while as it
> just stopped today. It even did so twice or three times today, so it
> seems like something in particular is breaking it. Here is what seems
> to be the relevant part in the logs
> <ftp://icadyptes.go-beyond.org/other/unbound-log.txt>. I don't quite
> understand the errors, but hopefully they are enough. Let me know if
> you need anything else.

The log file indicates that the router is not responding always. Due to
excessive timeouts, unbound has 'blacklisted' that IP address. This
lasts for 15 minutes by default.
	infra-host-ttl: 900   # seconds
So, the part where the retry was done, the timeouts, is not in this log
excerpt.  Are you experiencing periods of high packet loss?

As a workaround, you could put the infra-host-ttl: 3
This limits nonresolving to 3 seconds.

> As I was writing this email I came across some problems with my DNSSEC
> setup. Part of it appeared to be incorrectly configured, but I also
> seem to have had problems with the trusted-key-file parser in Unbound.
> After spending a while diagnosing it, I brought it to a point where I
> could have an identical (asside from the syntax) entry in
> trusted-key-file and trust-anchor-file, and the domain would only
> correctly authenticate via trust-anchor-file. I have many other zones
> in trusted-key-file, and it is now together with a trust-anchor-file
> only holding a single dnskey entry. The domain that was not working is
> eleuther.net (which did not work in trusted-key-file), go-beyond.org
> works fine and is in the trusted-key-file. Perhaps there is a bug
> surrounding the parsing? Sorry I don't have any logs or details of
> this, I was a bit frustrated over the time spent debuging it and
> didn't want to spend any more time once I fixed it. If you can't think
> of any immediate potential problems, I'd be happy to give you more
> specifics. I've had similair issues before, but was never certain
> where the problem was exactly.

Could you email me the details privately?  If you still have them.
I admit the trusted-key BIND format parser is a hack, but it does work
for me, maybe I missed a cornercase.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjQpKEACgkQkDLqNwOhpPjmCwCgqY+kFOqjOs8FGaORnz92KN4h
qpYAoIAmi18JCKLgv4Dh4E8m6cIRPoV/
=vvlL
-----END PGP SIGNATURE-----