On 24/08/2011 13:47, Lst_hoe02 at kwsoft.de wrote: > > Looks for me like EDNS problem. At least some part of the .be zone is DNSSEC signed an the replies get bigger than 512 Byte like with "dig x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in case of trouble, not sure if Unbound does the same. What you should check: > - Do the trouble domain/names resolve with unbound if you use checking disabled (+cdflag) > - Do you have any firewall device in front of your resolvers maybe some Cisco inspecting DNS traffic > - Do you have disabled Unbound tcp > > For some hints on the problem have a look here: > https://www.dns-oarc.net/oarc/services/replysizetest > > Regards > > Andreas Hi, Thank you for helping my case. Here are my answers. - I have no firewall or other device inspecting the traffic in front of the box, only packet filtering with iptables. - In the config file I have: # Enable TCP, "yes" or "no". # do-tcp: yes # edns-buffer-size: 4096 So I assume that by default tcp is enabled. Following your suggestions I tried (initial settings) # dig leos.leonidas.be @resolv1 +cdflag ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;leoS.leonidas.be. IN A ;; Query time: 14 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 14:35:38 2011 ;; MSG SIZE rcvd: 34 (initial settings) # dig leos.leonidas.be @resolv1 +cdflag +tcp ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;leos.leonidas.be. IN A ;; Query time: 9 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 14:35:53 2011 ;; MSG SIZE rcvd: 34 (initial settings) # dig @resolv1 rs.dns-oarc.net txt ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;rs.dns-oarc.net. IN TXT ;; ANSWER SECTION: rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net. rst.x3827.rs.dns-oarc.net. 59 IN CNAME rst.x3837.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME rst.x3843.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 DNS reply size limit is at least 3843" rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 sent EDNS buffer size 4096" rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24 12:38:52 UTC" ;; AUTHORITY SECTION: x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS ns00.x3843.x3837.x3827.rs.dns-oarc.net. ;; ADDITIONAL SECTION: ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136 ;; Query time: 5972 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 14:38:52 2011 ;; MSG SIZE rcvd: 307 Then I changed the following two settings: do-tcp: yes edns-buffer-size: 512 I restarted the unbound daemon. I find immediately the following messages in the log: Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating DNSKEY request Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate request: out of memory Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating DNSKEY request Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate request: out of memory I repeated my tests from before: # dig @resolv1 leos.leonidas.be ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be ; (2 servers found) ;; global options: printcmd ;; connection timed out; no servers could be reached 1 minute later # dig @resolv1 leos.leonidas.be +nodnssec ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;leos.leonidas.be. IN A ;; ANSWER SECTION: leos.leonidas.be. 3600 IN A 81.246.74.153 ;; Query time: 56 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 15:46:49 2011 ;; MSG SIZE rcvd: 50 # dig @resolv1 leos.leonidas.be ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;leos.leonidas.be. IN A ;; ANSWER SECTION: leos.leonidas.be. 2834 IN A 81.246.74.153 ;; Query time: 5 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 15:59:35 2011 ;; MSG SIZE rcvd: 50 # dig @resolv1 leos.leonidas.be +dnssec ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;leos.leonidas.be. IN A ;; ANSWER SECTION: leos.leonidas.be. 2825 IN A 81.246.74.153 ;; Query time: 16 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 15:59:44 2011 ;; MSG SIZE rcvd: 61 # dig @resolv1 rs.dns-oarc.net txt ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt ; (2 servers found) ;; global options: printcmd ;; connection timed out; no servers could be reached As in the meantime my cacti monitoring signals me lots of Dropped packets, and as the reaction of the server seems slower to me (subjective feeling), I put back the initial settings. # dig @resolv1 leos.leonidas.be ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;leos.leonidas.be. IN A ;; Query time: 10 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 16:06:58 2011 ;; MSG SIZE rcvd: 34 # dig @resolv1 rs.dns-oarc.net txt ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;rs.dns-oarc.net. IN TXT ;; ANSWER SECTION: rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net. rst.x3827.rs.dns-oarc.net. 59 IN CNAME rst.x3837.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME rst.x3843.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply size limit is at least 3843" rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS buffer size 4096" rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24 14:07:15 UTC" ;; AUTHORITY SECTION: x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS ns00.x3843.x3837.x3827.rs.dns-oarc.net. ;; ADDITIONAL SECTION: ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136 ;; Query time: 1073 msec ;; SERVER: xxxxx#53(xxxxx) ;; WHEN: Wed Aug 24 16:07:15 2011 ;; MSG SIZE rcvd: 307 kind regards Leo Bush