-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Wouter, many thanks for the insights of unbounds inner workings. Lets see if the person res- ponsible for the domain feels like fixing things. Best regards, Mit freundlichen Gruessen, i. A. Sven Juergensen - -- Fachbereich Netze und Rechenzentren KielNET GmbH Gesellschaft fuer Kommunikation Preusserstr. 1-9, 24105 Kiel Telefon : 0431 2219-053 Mobil : 0170 403 5600 Telefax : 0431 2219-005 E-Mail : s.juergensen at kielnet.de Internet: http://www.kielnet.de Geschaeftsfuehrer Eberhard Schmidt HRB 4499 (Amtsgericht Kiel) PGP details at http://pgp.kielnet.de/sjuergensen/ On Jul 20, 2009, at 2:05 PM, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Sven, > > Because it is misconfigured and unbounds security policy. > > If you ask .com servers for wpbeginner.com > it gives a delegation to: > wpbeginner.com. 172800 IN NS ns1.uzzz.net. > wpbeginner.com. 172800 IN NS ns2.uzzz.net. > ns1.uzzz.net. 172800 IN A 74.52.155.18 > ns2.uzzz.net. 172800 IN A 74.52.155.19 > > Unbound however, does not believe the ns1.uzzz.net addresses > from here because of security policy. (Otherwise cache > poisoning is going to happen). It decides to check up > on things. > > It asks for ns1.uzzz.net to the .net servers that give > this delegation: > uzzz.net. 172800 IN NS ns1.uzzz.net. > uzzz.net. 172800 IN NS ns2.uzzz.net. > ns1.uzzz.net. 172800 IN A 74.52.155.18 > ns2.uzzz.net. 172800 IN A 74.52.155.19 > > This time, having asked the .net servers, unbound believes > the addresses, but the security policy is to check even further. > Unbound asks uzzz.net nameservers for ns1.uzzz.net. > > As you can see in the dig sample below, it gets a reply > with a different address for ns1.uzzz.net. > > $ dig @74.52.155.18 ns1.uzzz.net. > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28863 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 > ;; QUESTION SECTION: > ;ns1.uzzz.net. IN A > ;; ANSWER SECTION: > ns1.uzzz.net. 14400 IN A 72.249.16.25 > ;; AUTHORITY SECTION: > uzzz.net. 86400 IN NS ns712.websitewelcome.com. > uzzz.net. 86400 IN NS ns711.websitewelcome.com. > ;; ADDITIONAL SECTION: > ns712.websitewelcome.com. 130930 IN A 74.52.155.19 > > So, it finds out that the real address of ns1.uzzz.net is > 72.249.16.25! > Because the uzzz.net server says so and is authoritative for the data. > > Unbound then asks 72.249.16.25 for wpbeginner.com. > > $ dig @72.249.16.25 wpbeginner.com > ;; connection timed out; no servers could be reached > > The same story for ns2.uzzz.net, the server does not respond to > queries. > > > So, I would like to be able to provide the correct answer to > users who want to connect to wpbeginner.com ; unbound > tries to fetch the most authoritative response for it, but that > address will not answer. > > All that said, if you really want to resolve this, the > option harden-glue: no does that. (And allows cache > poisoning!). > > The best solution is to have wpbeginner.com publish correct > information to the verisign servers, and/or run a nameserver > on the address 72.249.16.25. > > Thank you for reporting the non-working address. > > Best regards, > Wouter > > > On 07/20/2009 12:46 PM, Sven Juergensen wrote: >> Hi list, >> >> any idea why wpbeginner.com can't be resolved >> using unbound 1.3.1? >> >> Thanks for any input. >> >> Best regards, >> >> Sven Juergensen >> >> dig any wpbeginner.com @89.27.130.35 >> >> ; <<>> DiG 9.4.3-P1 <<>> any wpbeginner.com @89.27.130.35 >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20992 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;wpbeginner.com. IN ANY >> >> ;; Query time: 2877 msec >> ;; SERVER: 89.27.130.35#53(89.27.130.35) >> ;; WHEN: Mon Jul 20 12:42:47 2009 >> ;; MSG SIZE rcvd: 32 >> >> >> Mit freundlichen Gruessen, >> >> i. A. Sven Juergensen >> > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkpkXX0ACgkQkDLqNwOhpPiYdACgiFngk5bjZfF5Blh2HUx/Yp2o > Vi4AnAzhdnsvuWxXw53wzCexA66kxIMF > =nqNw > -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) iEYEARECAAYFAkpkZQ0ACgkQnEU7erAt4TJhrACg1pU2uh+bsk7BFxXsbFXpfjrg KQYAn3Ph1VOMtXG/niA78XmeacaE/81b =+4CB -----END PGP SIGNATURE-----