I actually don't have any sensitive data in my DNSSEC setup, so I am just posting this to the mailling list directly. Now that I think about it, perhaps the DNSSEC problems with my eleuther.net domain were causing the timeouts that caused the VPN's resolver to experience a long enough time out to stop resolving from it. Here is my (now working) router's Unbound configuration: <ftp://icadyptes.go-beyond.org/other/unbound/>. It is a bit messy, and I don't mind moving to the traditional trust-anchor-file format entirely. I will change the timeout for now. My network is generally quite stable, and I doubt it is packet loss. I could run some tests, but I haven't noticed any abnormally slow resolves or problems of that nature. Thanks, Teran (sega01) On Wed, Sep 17, 2008 at 06:33, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Teran, > > Teran McKinney wrote: >> Every few days or so Unbound (on the VPN server) would stop forwarding >> requests to my router's Unbound instance, but generally (not certain >> if always), the ".el" zone would still resolve over the other server, >> which is just an authoritive server. Unbound would return SERVFAILs, >> but still be reachable. I turned on debugging and had to wait quite >> some time for it to stop working again; it took quite a while as it >> just stopped today. It even did so twice or three times today, so it >> seems like something in particular is breaking it. Here is what seems >> to be the relevant part in the logs >> <ftp://icadyptes.go-beyond.org/other/unbound-log.txt>. I don't quite >> understand the errors, but hopefully they are enough. Let me know if >> you need anything else. > > The log file indicates that the router is not responding always. Due to > excessive timeouts, unbound has 'blacklisted' that IP address. This > lasts for 15 minutes by default. > infra-host-ttl: 900 # seconds > So, the part where the retry was done, the timeouts, is not in this log > excerpt. Are you experiencing periods of high packet loss? > > As a workaround, you could put the infra-host-ttl: 3 > This limits nonresolving to 3 seconds. > >> As I was writing this email I came across some problems with my DNSSEC >> setup. Part of it appeared to be incorrectly configured, but I also >> seem to have had problems with the trusted-key-file parser in Unbound. >> After spending a while diagnosing it, I brought it to a point where I >> could have an identical (asside from the syntax) entry in >> trusted-key-file and trust-anchor-file, and the domain would only >> correctly authenticate via trust-anchor-file. I have many other zones >> in trusted-key-file, and it is now together with a trust-anchor-file >> only holding a single dnskey entry. The domain that was not working is >> eleuther.net (which did not work in trusted-key-file), go-beyond.org >> works fine and is in the trusted-key-file. Perhaps there is a bug >> surrounding the parsing? Sorry I don't have any logs or details of >> this, I was a bit frustrated over the time spent debuging it and >> didn't want to spend any more time once I fixed it. If you can't think >> of any immediate potential problems, I'd be happy to give you more >> specifics. I've had similair issues before, but was never certain >> where the problem was exactly. > > Could you email me the details privately? If you still have them. > I admit the trusted-key BIND format parser is a hack, but it does work > for me, maybe I missed a cornercase. > > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkjQpKEACgkQkDLqNwOhpPjmCwCgqY+kFOqjOs8FGaORnz92KN4h > qpYAoIAmi18JCKLgv4Dh4E8m6cIRPoV/ > =vvlL > -----END PGP SIGNATURE----- >