Maintained by: NLnet Labs

[Unbound-users] Unbound stops answering after ADSL-line bounce

W.C.A. Wijngaards
Fri Feb 10 11:05:19 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

On 01/27/2012 01:57 PM, lst_hoe02 at kwsoft.de wrote:
> Zitat von Jan-Piet Mens <jpmens.dns at gmail.com>:
> 
>>>                                  We have "solved" the problem by
>>> setting the internal Unbound to not validate and let the forwarder
>>> do the DNSSEC work.
>>
>> That would be a neat feature for DNSSEC-Trigger: detect that the
>> upstream forwarder is Unbound (version.bind chaos txt) and disable the
>> validator. Well, maybe not. :-)
> 
> In our case it doesn't matter because both resolvers are managed by us,
> but for sure this should not be done automatically. Basically it looks
> like there are "rough-edges" when cascaded resolvers all try to do
> DNSSEC validation.

This was with unbound at an older version?  In 1.4.11 there has been a
fix that should help cascading validators.  The issue is that the
downstream validator sends CD=1 queries to the upstream.  Now, suppose
an authority server is outdated but another is not.  Then the downstream
validator cannot perform failover to the other authority server, because
it has to talk to the upstream validator.  The upstream validator cannot
perform failover to the other authority server because with CD=1 it is
not validating the query.  The fix in 1.4.11 is to make the upstream
validator perform failover to the other authority server for CD=1
queries as well.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNOveAAoJEJ9vHC1+BF+NjVsP/AsdqdgEHGyzU7nj1OSxd4Lu
ulpWHquRBUG9up2y0/MqNseVZ/K5PUMB/91e0jMLiPT5UZBk48BN7f65yqzt+VYl
AElxbSRbz/WaemJ4GlU3y6bJsh1trDnIbH4S5XF9nY7oCotu7mL5ZfMClRvP2KMk
u1B26Li77cHq99ga91YnHbySztXZ5Mu5zVxhSDaKNaOf6SEPMOUjfJweokFQX9C/
NJ7IJdgcB9RvXhLwAaqm79QBcTbpvDxF8BeMq/W5TgogNOBvRctH8+yhv8wRbAPm
3nrZAJImVCtoxWDpZhkEN2GEm65G2Qlaj5KZByoRZxC5kLzC8WRlhX+KdzRUOlEU
Hp6/lGnjdTzKBRcFXqk+LFOo+hpkx+OFcZMMfjJV8+FaUVc1VM0UBapuavtKl5GT
a0Rv4R1OiK0xCJujKndx8H3luDCI5bxiNMMZVO6qN0H7pZxaD1omaPjV9tsz3ojj
/7Wf+vUH7DOQCqUuA+UirLqGsAXyHW+qhdMHel/9z8hcmiaP/1C47tk2ac6sw/G7
glQ9xlNP+HPqLPf1zOy935jVuAMotfPYEW5/86zQMnWhNEK83m37HfpCHJKKcscs
PByzv1DhhAa0O5ZJYZU4NTaFFL/DhPKyQizpR6OCN5bEF1qwdhyeNxp9wf/iDCvn
ijXbzeZvSPiwsh9X8C+o
=noba
-----END PGP SIGNATURE-----