-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sven, Because it is misconfigured and unbounds security policy. If you ask .com servers for wpbeginner.com it gives a delegation to: wpbeginner.com. 172800 IN NS ns1.uzzz.net. wpbeginner.com. 172800 IN NS ns2.uzzz.net. ns1.uzzz.net. 172800 IN A 74.52.155.18 ns2.uzzz.net. 172800 IN A 74.52.155.19 Unbound however, does not believe the ns1.uzzz.net addresses from here because of security policy. (Otherwise cache poisoning is going to happen). It decides to check up on things. It asks for ns1.uzzz.net to the .net servers that give this delegation: uzzz.net. 172800 IN NS ns1.uzzz.net. uzzz.net. 172800 IN NS ns2.uzzz.net. ns1.uzzz.net. 172800 IN A 74.52.155.18 ns2.uzzz.net. 172800 IN A 74.52.155.19 This time, having asked the .net servers, unbound believes the addresses, but the security policy is to check even further. Unbound asks uzzz.net nameservers for ns1.uzzz.net. As you can see in the dig sample below, it gets a reply with a different address for ns1.uzzz.net. $ dig @74.52.155.18 ns1.uzzz.net. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;ns1.uzzz.net. IN A ;; ANSWER SECTION: ns1.uzzz.net. 14400 IN A 72.249.16.25 ;; AUTHORITY SECTION: uzzz.net. 86400 IN NS ns712.websitewelcome.com. uzzz.net. 86400 IN NS ns711.websitewelcome.com. ;; ADDITIONAL SECTION: ns712.websitewelcome.com. 130930 IN A 74.52.155.19 So, it finds out that the real address of ns1.uzzz.net is 72.249.16.25! Because the uzzz.net server says so and is authoritative for the data. Unbound then asks 72.249.16.25 for wpbeginner.com. $ dig @72.249.16.25 wpbeginner.com ;; connection timed out; no servers could be reached The same story for ns2.uzzz.net, the server does not respond to queries. So, I would like to be able to provide the correct answer to users who want to connect to wpbeginner.com ; unbound tries to fetch the most authoritative response for it, but that address will not answer. All that said, if you really want to resolve this, the option harden-glue: no does that. (And allows cache poisoning!). The best solution is to have wpbeginner.com publish correct information to the verisign servers, and/or run a nameserver on the address 72.249.16.25. Thank you for reporting the non-working address. Best regards, Wouter On 07/20/2009 12:46 PM, Sven Juergensen wrote: > Hi list, > > any idea why wpbeginner.com can't be resolved > using unbound 1.3.1? > > Thanks for any input. > > Best regards, > > Sven Juergensen > > dig any wpbeginner.com @89.27.130.35 > > ; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @89.27.130.35 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;wpbeginner.com. IN ANY > > ;; Query time: 2877 msec > ;; SERVER: 89.27.130.35#53(89.27.130.35) > ;; WHEN: Mon Jul 20 12:42:47 2009 > ;; MSG SIZE rcvd: 32 > > > Mit freundlichen Gruessen, > > i. A. Sven Juergensen > _______________________________________________ Unbound-users mailing list Unbound-users at unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkpkXX0ACgkQkDLqNwOhpPiYdACgiFngk5bjZfF5Blh2HUx/Yp2o Vi4AnAzhdnsvuWxXw53wzCexA66kxIMF =nqNw -----END PGP SIGNATURE-----