Maintained by: NLnet Labs

[Unbound-users] problems resolving some sites

lst_hoe02 at kwsoft.de
Fri Nov 26 14:48:55 CET 2010


Zitat von FRLinux <frlinux at gmail.com>:

> Hello,
>
> I am trying to understand a problem on resolving a small fraction of
> sites from unbound. The server is a Debian Squeeze running behind a
> Firewall. 53/tcp, icmp and full udp are open on the box to the
> outside. Unbound is stock Debian (1.4.6-1). When i try to resolve this
> host for instance, it fails: ice.grid.kiae.ru whereas bind works.
>
> Here is my configuration, I would be grateful if someone could point
> me to the problem:
>
> server:
> 	verbosity: 1
> 	num-threads: 2
> 	interface: 0.0.0.0
> 	interface: ::0
> 	interface-automatic: yes
>         access-control: 127.0.0.0/8 allow
>         access-control: ::1 allow
>         access-control: ::ffff:127.0.0.1 allow
>         access-control: xxxxxxx allow (where xxxx is our public range)
>         access-control: 0.0.0.0/0 refuse
>         access-control: ::0/0 refuse
> 	chroot: ""
> 	username: "unbound"
> 	directory: "/etc/unbound"
> 	logfile: "/var/log/unbound/unbound.log"
> 	pidfile: "/var/run/unbound.pid"
> 	root-hints: "/etc/unbound/named.cache"
> 	harden-glue: yes
> 	harden-dnssec-stripped: yes
> 	harden-referral-path: yes

This is a non default and labeled as experimental in the docu. It  
works fine here with the default (no), maybe try to set it back to the  
default.
You could also try "+cdflag" to see if the non-result is related to DNSSEC.

BTW: Why do you not use the "auto-trust-anchor-file" setting as the  
root-zone is now signed?

Regards

Andreas