Maintained by: NLnet Labs

[Unbound-users] Problem to resolve domains from a certain registrar

Leo Bush
Wed Aug 24 10:02:59 CEST 2011


Dear all,

Since one month our company uses unbound-1.4.8-1 on two RH6 servers as 
caching and resolving servers with IPv6 and DNSSec enabled. These two 
servers deal with all our DNS traffic, generated by all our customers 
(2x 5Mbps peak traffic). They work as stand alone servers, no 
complicated network components (Load balancer...) around.

At the beginning we used to activate the option use-caps-for-id, but 
since we got complaints from customers that certain domains were 
available everywhere in the world except at us, we preferred to deactivate.

Currently we face the following rather strange problem:
Under normal working conditions, in 70-90% of the time our two 
production servers  cannot  resolve domains registered at register.be 
and lying on the three authoritative name servers ns1.register.be, 
ns3.register.be, ns2.register.be (example: leonidas.be, estates.lu). 
They return me a SERVFAIL. register.be itself works all the time. By 
chance it sometimes works correctly for a brief period of time. Even 
though it was not easy due to the thousands of packets passing through 
in a second, I succeeded to trace the packets the server sends to the 
authoritative servers and it gets correct answers back.

I tried to install unbound 1.4.8 with the same configuration file (see 
attachment) on a desktop machine and there was no issue. All resolutions 
against domains at register.be were immediate and correct.

As customers continued to complain I was forced to take one server out 
of production and to replace it with bind which works correctly. Now I 
have one server with unbound that has the problem and one server with 
bind, that works fine in production. The formerly faulty unbound server 
that is now offloaded currently responds correctly at all tests (no 
restart done, no reboot done, just IP address switched).

Does anybody have an idea how I can solve this problem? Shall I offer 
you more technical information? Do you have further tests to suggest?

kind regards and thank you for advices

Leo Bush

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unbound.conf
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110824/cd750951/attachment.ksh>