Maintained by: NLnet Labs

[Unbound-users] problems resolving www.iana.org / ianawww.vip.icann.org

Daisuke HIGASHI
Sat Jun 18 16:56:46 CEST 2011


Hi,

Leen Besselink wrote:

> Is it just me or is Unbound 1.4.7 not able to resolve www.iana.org /
ianawww.vip.icann.org right now ?

Unbound with DNSSEC validation not able to resolve www.iana.org.
BIND9 manages to do it but takes long time because of many timeouts.

It seems that all NS in vip.icann.org returns broken response for
DNSKEY query with UDP. BIND9 retries query with TCP and gets complete
DNSKEY but Unbound does not.

Despite vip.icann.org NS are broken, is Unbound behavior correct?

------------------
> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +dnssec
  <snip>
;; connection timed out; no servers could be reached

> dig @gtm1.lax.icann.org vip.icann.org DNSKEY +tcp +dnssec
<very large DNSKEY RRSet and RRSIG>
------------------

-- 
 Daisuke HIGASHI <daisuke.higashi at gmail.com>