Maintained by: NLnet Labs

[Unbound-users] tcp and dnssec question

W.C.A. Wijngaards
Mon Jun 10 13:25:04 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Shmick,

On 06/03/2013 05:17 PM, shmick at riseup.net wrote:
> hi list,
> 
> i have unbound configured as follows:
> 
> Version 1.4.20 linked libs: libevent 2.0.21-stable (it uses epoll),
> ldns 1.6.16, OpenSSL 1.0.1e 11 Feb 2013 linked modules: validator
> iterator configured for i686-pc-linux-gnu on Fri May 31 00:02:11
> EST 2013 with options: '--with-pthreads' '--with-ldns' '--with-ssl'
> '--with-libevent'
> 
> validator-iterator yes as well
> 
> 
> do-udp: "yes"
> 
> 
> do-tcp: "yes"
> 
> 
> tcp-upstream: "no" when i conduct tests from Berkeley Uni's dns
> unit:
> 
> netalyzr.icsi.berkeley.edu
> 
> i get the following errors:
> 
> 
> 1. Your DNS resolver may have significant transport-problems with
> the upcoming DNSSEC deployments. The resolver is incapable of
> falling back to TCP.
> 
> 2. Your resolver is incapable of using TCP to process requests when
> necessary.

Your middleboxes (firewalls, routers, switcher, and other equipment
(load balancers)) forbid TCP traffic on port 53.  Hence unbound cannot
do TCP requests.  You should allow TCP port 53.

Best regards,
   Wouter

> any help on re-mediating these would be appreciated.
> 
> if somebody could try the test and see the interesting results with
> the same tcp config as i have it would be interesting to see if
> it's a repeatable result to isolate... 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRtbePAAoJEJ9vHC1+BF+NX54P/iW6CPauX8O0l/mFrnSrjhb0
c5FEOV4e/dmNpqVNIyMkyj+V1467o1hzp3hwVFAVEdS90RYv4sA/rxa8yiw9EOr1
o/Uc66VibB6H57pB0bpyfTAJMMED9s3dEpO3IDvJAuw1RHUUl5Y4BVqDI52kVJVW
EPI9SO+17w9pKIFBck8UpepoZKIJTuqDImrHrTPOdnCdDuW1PmvfbpoGYQkSCXBY
7OP4f3eTzYk78bMLZdMsujpWSrG5y72pI5pIYa4OppFG7erk9F+ZxG7pZXufBGiJ
50JREY4jZN3nflfop2RcFYKSgT8GMIV7ATaJE1kqxGDHtXQydR7K3zVl5khWXJF0
V4qM2VyzIITFXo7JMAd65CWq0AMmlFwxt8VB6ZVUvyX36qBqvIRolcMeFqi8HowJ
Vv6+AveM8GxD6iMJdIswFPGk6c45qGOPcAoOUd+JyzHsdHT9UhggRFfMVbTd3CL9
EBDHz4mDKmYjeKOVYd86Hr1AEDTBx28oGzYWyLIcxhEJgaiLLW9g9S8OZ0wSNAHS
9Z7jDzOmd4WSATMfOmdh4xN5DznyfJp/rgRGNVPqhSegL2JTlsO5LMWDDTMk73dG
MhRMmUWG1u0ZFKqvJ41OM5WXbX0E2Yi2PGonTsxhmfF2nn33oT4SPcAJ7K55Ccki
uU/NRPXf8qpzZEdrtZUf
=IDSG
-----END PGP SIGNATURE-----