Maintained by: NLnet Labs

[Unbound-users] A few ideas and questions

Teran McKinney
Wed Sep 17 14:17:46 CEST 2008


I actually don't have any sensitive data in my DNSSEC setup, so I am
just posting this to the mailling list directly. Now that I think
about it, perhaps the DNSSEC problems with my eleuther.net domain were
causing the timeouts that caused the VPN's resolver to experience a
long enough time out to stop resolving from it. Here is my (now
working) router's Unbound configuration:
<ftp://icadyptes.go-beyond.org/other/unbound/>. It is a bit messy, and
I don't mind moving to the traditional trust-anchor-file format
entirely. I will change the timeout for now.

My network is generally quite stable, and I doubt it is packet loss. I
could run some tests, but I haven't noticed any abnormally slow
resolves or problems of that nature.

Thanks,
Teran (sega01)

On Wed, Sep 17, 2008 at 06:33, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Teran,
>
> Teran McKinney wrote:
>> Every few days or so Unbound (on the VPN server) would stop forwarding
>> requests to my router's Unbound instance, but generally (not certain
>> if always), the ".el" zone would still resolve over the other server,
>> which is just an authoritive server. Unbound would return SERVFAILs,
>> but still be reachable. I turned on debugging and had to wait quite
>> some time for it to stop working again; it took quite a while as it
>> just stopped today. It even did so twice or three times today, so it
>> seems like something in particular is breaking it. Here is what seems
>> to be the relevant part in the logs
>> <ftp://icadyptes.go-beyond.org/other/unbound-log.txt>. I don't quite
>> understand the errors, but hopefully they are enough. Let me know if
>> you need anything else.
>
> The log file indicates that the router is not responding always. Due to
> excessive timeouts, unbound has 'blacklisted' that IP address. This
> lasts for 15 minutes by default.
>        infra-host-ttl: 900   # seconds
> So, the part where the retry was done, the timeouts, is not in this log
> excerpt.  Are you experiencing periods of high packet loss?
>
> As a workaround, you could put the infra-host-ttl: 3
> This limits nonresolving to 3 seconds.
>
>> As I was writing this email I came across some problems with my DNSSEC
>> setup. Part of it appeared to be incorrectly configured, but I also
>> seem to have had problems with the trusted-key-file parser in Unbound.
>> After spending a while diagnosing it, I brought it to a point where I
>> could have an identical (asside from the syntax) entry in
>> trusted-key-file and trust-anchor-file, and the domain would only
>> correctly authenticate via trust-anchor-file. I have many other zones
>> in trusted-key-file, and it is now together with a trust-anchor-file
>> only holding a single dnskey entry. The domain that was not working is
>> eleuther.net (which did not work in trusted-key-file), go-beyond.org
>> works fine and is in the trusted-key-file. Perhaps there is a bug
>> surrounding the parsing? Sorry I don't have any logs or details of
>> this, I was a bit frustrated over the time spent debuging it and
>> didn't want to spend any more time once I fixed it. If you can't think
>> of any immediate potential problems, I'd be happy to give you more
>> specifics. I've had similair issues before, but was never certain
>> where the problem was exactly.
>
> Could you email me the details privately?  If you still have them.
> I admit the trusted-key BIND format parser is a hack, but it does work
> for me, maybe I missed a cornercase.
>
> Best regards,
>   Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjQpKEACgkQkDLqNwOhpPjmCwCgqY+kFOqjOs8FGaORnz92KN4h
> qpYAoIAmi18JCKLgv4Dh4E8m6cIRPoV/
> =vvlL
> -----END PGP SIGNATURE-----
>