-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Teran, Teran McKinney wrote: > Every few days or so Unbound (on the VPN server) would stop forwarding > requests to my router's Unbound instance, but generally (not certain > if always), the ".el" zone would still resolve over the other server, > which is just an authoritive server. Unbound would return SERVFAILs, > but still be reachable. I turned on debugging and had to wait quite > some time for it to stop working again; it took quite a while as it > just stopped today. It even did so twice or three times today, so it > seems like something in particular is breaking it. Here is what seems > to be the relevant part in the logs > <ftp://icadyptes.go-beyond.org/other/unbound-log.txt>. I don't quite > understand the errors, but hopefully they are enough. Let me know if > you need anything else. The log file indicates that the router is not responding always. Due to excessive timeouts, unbound has 'blacklisted' that IP address. This lasts for 15 minutes by default. infra-host-ttl: 900 # seconds So, the part where the retry was done, the timeouts, is not in this log excerpt. Are you experiencing periods of high packet loss? As a workaround, you could put the infra-host-ttl: 3 This limits nonresolving to 3 seconds. > As I was writing this email I came across some problems with my DNSSEC > setup. Part of it appeared to be incorrectly configured, but I also > seem to have had problems with the trusted-key-file parser in Unbound. > After spending a while diagnosing it, I brought it to a point where I > could have an identical (asside from the syntax) entry in > trusted-key-file and trust-anchor-file, and the domain would only > correctly authenticate via trust-anchor-file. I have many other zones > in trusted-key-file, and it is now together with a trust-anchor-file > only holding a single dnskey entry. The domain that was not working is > eleuther.net (which did not work in trusted-key-file), go-beyond.org > works fine and is in the trusted-key-file. Perhaps there is a bug > surrounding the parsing? Sorry I don't have any logs or details of > this, I was a bit frustrated over the time spent debuging it and > didn't want to spend any more time once I fixed it. If you can't think > of any immediate potential problems, I'd be happy to give you more > specifics. I've had similair issues before, but was never certain > where the problem was exactly. Could you email me the details privately? If you still have them. I admit the trusted-key BIND format parser is a hack, but it does work for me, maybe I missed a cornercase. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjQpKEACgkQkDLqNwOhpPjmCwCgqY+kFOqjOs8FGaORnz92KN4h qpYAoIAmi18JCKLgv4Dh4E8m6cIRPoV/ =vvlL -----END PGP SIGNATURE-----