Maintained by: NLnet Labs

priming and dnskey

W.C.A. Wijngaards
Thu Aug 3 16:04:56 CEST 2017


Hi T.Suzuki,

I don't know why it is querying for the root DNSKEY for you.  It should
not do that, unless a client asked for it.

Do you have verbosity 5 debug logs?  Perhaps this config file is not the
actual config file used by your resolver?

Best regards, Wouter

On 03/08/17 14:14, T.Suzuki via Unbound-users wrote:
> On Thu, 3 Aug 2017 09:08:52 +0200
> "W.C.A. Wijngaards via Unbound-users" <unbound-users at unbound.net> wrote:
> 
>> Hi T.Suzuki,
>>
>> Do you have prefetch-key enabled still?  It causes the DNSKEY to be
>> prefetched.  If so, that would just be extra data in the cache, and not
>> hamper KSK rollovers.
> 
> I do not enable any key configuration.
> 
> unbound 1.6.3 (FreeBSD 11.0-RELEASE pkg)
> 
> server:
> 	verbosity: 1
> 	interface: 127.0.0.2
> 	msg-cache-size: 8m
> 	rrset-cache-size: 8m
> 	access-control: 127.0.0.0/8 allow
> 	logfile: "unbound.log"
> 	log-queries: yes
> 	root-hints: "named.cache"
> 	private-address: 172.16.0.0/12
> 	private-address: 192.168.0.0/16
> 	unwanted-reply-threshold: 100000
> 	do-not-query-localhost: no
> 	# prefetch-key: no
> 	module-config: "iterator"
>         # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
>         # trust-anchor-file: ""
> 
> python:
> remote-control:
> 	control-enable: yes
> 
> # tshark -n port 53
> Capturing on 'em0'
>     1   0.000000 172.16.168.136 → 199.7.91.13  DNS 70 Standard query 0xca87 NS <Root> OPT
>     2   0.015573  199.7.91.13 → 172.16.168.136 DNS 1139 Standard query response 0xca87 NS <Root> NS f.root-servers.net NS e.root-servers.net NS i.root-servers.net NS k.root-servers.net NS a.root-servers.net NS b.root-servers.net NS d.root-servers.net NS g.root-servers.net NS h.root-servers.net NS l.root-servers.net NS m.root-servers.net NS j.root-servers.net NS c.root-servers.net RRSIG A 198.41.0.4 A 192.228.79.201 A 192.33.4.12 A 199.7.91.13 A 192.203.230.10 A 192.5.5.241 A 192.112.36.4 A 198.97.190.53 A 192.36.148.17 A 192.58.128.30 A 193.0.14.129 A 199.7.83.42 A 202.12.27.33 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:200::b AAAA 2001:500:2::c AAAA 2001:500:2d::d AAAA 2001:500:a8::e AAAA 2001:500:2f::f AAAA 2001:500:12::d0d AAAA 2001:500:1::53 AAAA 2001:7fe::53 AAAA 2001:503:c27::2:30 AAAA 2001:7fd::1 AAAA 2001:500:9f::42 AAAA 2001:dc3::35 OPT
>     3   0.015879 172.16.168.136 → 198.41.0.4   DNS 70 Standard query 0x6795 DNSKEY <Root> OPT
>     4   0.130131   198.41.0.4 → 172.16.168.136 DNS 1181 Standard query response 0x6795 DNSKEY <Root> DNSKEY DNSKEY DNSKEY RRSIG OPT
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170803/5590a6d8/attachment.sig>