Maintained by: NLnet Labs

obtaining a trust-anchor takes very long

rainer at ultra-secure.de
Mon Mar 27 10:56:44 CEST 2017


Hi,

I have unbound 1.6.0 (package, not the included one) on FreeBSD 11 
(amd64) in a setup where it forwards its queries to a number of upstream 
cache servers (also unbound).

Fetching the "anchor" takes 50-ish seconds each time it's restarted.



(slave <unbound>) 0 # time service unbound restart
Stopping unbound.
Obtaining a trust anchor:.
Starting unbound.
service unbound restart  0.03s user 0.02s system 0% cpu 52.246 total


 From the ktrace output, I see that it tries to contact the root-servers.
This does not make sense as only access to said upstream cache servers 
is possible.

These forwarders are configured in an include file of unbound.conf and 
used for normal lookups but not for the trust-anchor setup, it seems.

How is this supposed to work?


Additionally, unbound-anchor seems to use the first IP on the interface 
it finds to bind to for outgoing queries - even though a different one 
is configured in unbound.conf. This doesn't look "right" to me but in 
this case I just swapped the IPs so that the one unbound uses is the 
first one.