Maintained by: NLnet Labs

[Unbound-users] Problem to resolve domains from a certain registrar

Lst_hoe02 at kwsoft.de
Thu Aug 25 14:21:45 CEST 2011


Zitat von Leo Bush <leo.bush at mylife.lu>:

>
> On 24/08/2011 13:47, Lst_hoe02 at kwsoft.de wrote:
>>
>> Looks for me like EDNS problem. At least some part of the .be zone  
>> is DNSSEC signed an the replies get bigger than 512 Byte like with  
>> "dig x.dns.be A +dnssec". Bind has a feature to reduce the EDNS  
>> size in case of trouble, not sure if Unbound does the same. What  
>> you should check:
>> - Do the trouble domain/names resolve with unbound if you use  
>> checking disabled (+cdflag)
>> - Do you have any firewall device in front of your resolvers maybe  
>> some Cisco inspecting DNS traffic
>> - Do you have disabled Unbound tcp
>>
>> For some hints on the problem have a look here:
>> https://www.dns-oarc.net/oarc/services/replysizetest
>>
>> Regards
>>
>> Andreas
>
> Hi,
>
> Thank you for helping my case. Here are my answers.
> - I have no firewall or other device inspecting the traffic in front  
> of the box, only packet filtering with iptables.
> - In the config file I have:
>         # Enable TCP, "yes" or "no".
>         # do-tcp: yes
>         # edns-buffer-size: 4096
>   So I assume that by default tcp is enabled.
>
>
> Following your suggestions I tried
>
> (initial settings)
> # dig leos.leonidas.be @resolv1 +cdflag
>
> ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leoS.leonidas.be.              IN      A
>
> ;; Query time: 14 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:35:38 2011
> ;; MSG SIZE  rcvd: 34
>
>
>
> (initial settings)
> # dig leos.leonidas.be @resolv1 +cdflag +tcp
>
> ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be.              IN      A
>
> ;; Query time: 9 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:35:53 2011
> ;; MSG SIZE  rcvd: 34
>
>
>
> (initial settings)
> # dig @resolv1  rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net.               IN      TXT
>
> ;; ANSWER SECTION:
> rs.dns-oarc.net.        60      IN      CNAME   rst.x3827.rs.dns-oarc.net.
> rst.x3827.rs.dns-oarc.net. 59   IN      CNAME    
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net. 58 IN  CNAME    
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101  
> DNS reply size limit is at least 3843"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101  
> sent EDNS buffer size 4096"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at  
> 2011-08-24 12:38:52 UTC"
>
> ;; AUTHORITY SECTION:
> x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS      
> ns00.x3843.x3837.x3827.rs.dns-oarc.net.
>
> ;; ADDITIONAL SECTION:
> ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
>
> ;; Query time: 5972 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:38:52 2011
> ;; MSG SIZE  rcvd: 307
>
>
>
> Then I changed the following two settings:
>     do-tcp: yes
>     edns-buffer-size: 512
>
> I restarted the unbound daemon. I find immediately the following  
> messages in the log:
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error  
> generating DNSKEY request
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate  
> request: out of memory
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error  
> generating DNSKEY request
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate  
> request: out of memory

This doesn't look good anyway. Are you low on memeory? What are the  
other unbound settings look like?


> I repeated my tests from before:
>
> # dig @resolv1 leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
> 1 minute later
>
> # dig @resolv1 leos.leonidas.be +nodnssec
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be.              IN      A
>
> ;; ANSWER SECTION:
> leos.leonidas.be.       3600    IN      A       81.246.74.153
>
> ;; Query time: 56 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:46:49 2011
> ;; MSG SIZE  rcvd: 50
>
> # dig @resolv1  leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be.              IN      A
>
> ;; ANSWER SECTION:
> leos.leonidas.be.       2834    IN      A       81.246.74.153
>
> ;; Query time: 5 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:59:35 2011
> ;; MSG SIZE  rcvd: 50
>
>
>
> # dig @resolv1  leos.leonidas.be +dnssec
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;leos.leonidas.be.              IN      A
>
> ;; ANSWER SECTION:
> leos.leonidas.be.       2825    IN      A       81.246.74.153
>
> ;; Query time: 16 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:59:44 2011
> ;; MSG SIZE  rcvd: 61
>
>
>
> # dig @resolv1  rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
>
>
> As in the meantime my cacti monitoring signals me lots of Dropped  
> packets, and as the reaction of the server seems slower to me  
> (subjective feeling), I put back the initial settings.
>
> # dig @resolv1  leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be.              IN      A
>
> ;; Query time: 10 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 16:06:58 2011
> ;; MSG SIZE  rcvd: 34
>
>
> # dig @resolv1  rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net.               IN      TXT
>
> ;; ANSWER SECTION:
> rs.dns-oarc.net.        60      IN      CNAME   rst.x3827.rs.dns-oarc.net.
> rst.x3827.rs.dns-oarc.net. 59   IN      CNAME    
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net. 58 IN  CNAME    
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply  
> size limit is at least 3843"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS  
> buffer size 4096"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at  
> 2011-08-24 14:07:15 UTC"
>
> ;; AUTHORITY SECTION:
> x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS      
> ns00.x3843.x3837.x3827.rs.dns-oarc.net.
>
> ;; ADDITIONAL SECTION:
> ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
>
> ;; Query time: 1073 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 16:07:15 2011
> ;; MSG SIZE  rcvd: 307
>

There lately was an issue with priming the root with DNSSEC last very  
long in some cases...
What are the settings for your trusted keys and do you use IPv6?

Regards

Andreas