Maintained by: NLnet Labs

[Unbound-users] Cascading Unbound and automatic key update

lst_hoe02 at kwsoft.de
Tue Jan 10 15:43:43 CET 2012


Hello

we have a internal unbound cache using a second unbound instance at  
the border firewall to do dns resolution with DNSSEC enabled. Today  
our internal unbound stop working with errors like this:

Jan 10 14:33:53 mailer unbound: [27958:0] info: validation failure  
<www.at-web.de. A IN>: no DNSSEC records from x.x.x.x for DS  
at-web.de. while building chain of trust
Jan 10 14:33:53 mailer unbound: [27958:0] info: validation failure  
<www.heise.de. A IN>: no DNSSEC records from x.x.x.x for DS heise.de.  
while building chain of trust

The instance at the border firewall has no errors in the log and works  
fine all the time. After restarting the internal instance, it is also  
working fine again. The auto-trust-anchor-file of the internal  
instance has a timestamp from the restart of the instance, so i  
suspect something went wrong with the update of this file, but i have  
no glue why the restart cured it.

Both instances are Unbound version 1.4.14 with auto-trust-anchor  
enabled. The forwarding from internal to firewall instance is done  
this way:

forward-zone:
  	name: "."
  	forward-addr: x.x.x.x

What can we do to debug this problem and prevent it from happening again?

Thanks

Andreas