Maintained by: NLnet Labs

[Unbound-users] unbound has info, but does not answer it

Over Dexia
Tue Aug 20 14:50:24 CEST 2013


Am 20.08.2013 14:20, schrieb W.C.A. Wijngaards:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Over,
>
> So the replies from maradns are fine, but then you have DNSSEC
> validation enabled.  But DNSSEC replies do not make it from the
> internet to you.
>
> This bit:
>> servselect ip4 195.243.137.26 port 53 (len 16) Aug 19 15:36:09
>> unbound[8442:0] debug:    rtt=48128 Aug 19 15:36:09 unbound[8442:0]
>> debug: selrtt 48128 Aug 19 15:36:09 unbound[8442:0] info: sending
>> query: de. DNSKEY IN
>
> So, queries for the root DNSKEY, .de DNSKEY all time out.  Probably,
> you have a firewall that blocks DNS traffic bigger then 512.  Fix the
> firewall or router.
>
> Or, you somehow drop all traffic with EDNS0 in it.  The firewall
> deep-inspects and drops DNS traffic with EDNS0 extensions (needed for
> DNSSEC).


This is very important info, thanks.


> Another option is to disable dnssec validation.  But it is better to
> fix your network firewalls, routers or other filtering, that drops
> DNSSEC answers (such as the de DNSKEY).
>
> Yet another option is to configure unbound to advertise an EDNS size
> of 512.

Since I need the unbound to serve information (gathered from internal 
servers) even when the internet is unavailable, I probably have to 
disable DNSSEC.

This solved my problem. Thanks a lot for your help and best regards, jo