On Wed, 31 Mar 2010, Bernhard Schmidt wrote: > It occasionally happens after about one to two weeks of uptime that I cannot > query any .de domain anymore. All of the sudden the log is full of validation > errors > Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- > DNSKEY rrset is not secure <de. DNSKEY IN> > Mar 30 21:06:10 svr01 last message repeated 2 times > Mar 30 21:06:10 svr01 unbound: [1315:0] info: failed to prime trust anchor -- > could not fetch DNSKEY rrset <de. DNSKEY IN> > Mar 30 21:06:10 svr01 last message repeated 2 times > > The process has been running untouched since March 21st. > > I raised this on the DENIC ml. Peter Koch told me that he sees queries from > my IP address without the OPT-RR (so no EDNS and no DO) during that > timeframe. Which would of course mean that Unbound would not get any DNSSEC > records, so complaining is a good plan indeed. Did you check the ntp/clock settings on the machines involved? You might need to add a lot of verbosity to get more logs out of unbound. Or if you still have that instance, running, use unbound-remote to dump the cache to a file and we might be able to get more information out of it. Paul