Maintained by: NLnet Labs

[Unbound-users] Issue Resolving ""

Casey Deccio
Tue Jan 6 22:47:20 CET 2015

On Tue, Jan 6, 2015 at 4:10 PM, Paul Niemi <paul.niemi at> wrote:

> Hello,
> We are an ISP, and experiencing an issue looking up "", with
> unbound version 1.4.17 on Debian linux  When we have DNSSEC enabled (our
> normal configuration), and make a query for "", we get a
> reply that it does not exist (NXDOMAIN).  If we disable the DNSSEC, by
> commenting the "auto-trust-anchor-file" line in the config, then the query
> is successful.  We tried turning up the logging verbosity, but we am not
> sure what all is going on in the log.  Does anyone have any insight into
> what is going on here, or what I should be looking for in the log?  We have
> tried against some other open DNS servers (Google, OpenDNS) and the query
> is successful there, as well.  It just seems to be our unbound DNS server
> with DNSSEC enabled, that fails.

Hi Paul,

FWIW, I am unable to reproduce the NXDOMAIN on my own instance of unbound
of the same version and platform:

$ dig +dnssec +noall +answer @localhost        42979    IN    A        42979    IN    RRSIG    A 7 2 43200 20150127124709
20141228124709 36677
DiiANUA7vVgpxuliAG95OCwKMxqf5u182R5KV6+Q1Wuufo5JKzKfbgJS 8eI=

That being said, the domain has (at least) some issues with consistency
across anycast instances.  ns200 shows two different serials from two
different locations:

client1$ dig +dnssec +noall +answer soa |
awk '$4 ~ /SOA/ { print $7 }'
client2$ dig +dnssec +noall +answer soa |
awk '$4 ~ /SOA/ { print $7 }'

Likewise, ns200 returns RRSIGs from one location, and not from the other.

client1$ dig +dnssec mx | grep RRSIG | wc -l
client2$ dig +dnssec mx | grep RRSIG | wc -l

DNSViz sees this too:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>