Re: unbound returns SERVFAIL although forwarder works just fine

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Martin, Did you encounter this issue also with versions of unbound before 1.5.7? Does it happen after switching networks or immediately after booting? Are you sure the tcpdump output corresponds to this part of the log? The log indicates that no

Re: Unbound 1.6.1rc3 prerelease

Hi Andreas, On 20-02-17 09:26, A. Schulze via Unbound-users wrote: > On note: > I included again a patch that implement nsec_aggressiveuse [1] > Works as expected but only for nsec, not nsec3. Please note that this patch has some issues. We are working on a complete implementation. Regards, --

Re: in-add.arpa

Hi Raed, 10.in-addr.arpa queries are blocked by a default local zone. You can turn off the default content for a subzone by using the transparent local-zone type. So, in your case that will be something like: local-zone: "32.24.10.in-addr.arpa." transparent Setting the type to nondefault does

Re: unset the 'dnssec ok' flag in requests

Hi Rob, No, Unbound does not have a configuration option to disable the DO flag on outgoing queries. Regards, -- Ralph On 06-10-16 19:56, Rob Andrzejewski via Unbound-users wrote: > Afternoon Unbound Users, > > In my particular use case of Unbound, we don't need dnssec validation. > I have

Re: Resolve dependent on source IP of request?

Hi Leo, access-control-tag-data is what you are looking for. Data specified there will only be used when the local-zone and acl entry matches the tag. So, for example: define-tag: "foo bar" local-zone: "example." redirect local-zone-tag: "example." "foo bar" access-control-tag: 10.10.10.10/32

Re: Forward specific zone and refuse others

Hi Kirill, You can block queries for all names, and then add an exception for example.org using local-zones: local-zone: "." refuse local-zone: "example.org" transparent And then configure a forwarder for example.org. Regards, -- Ralph On 14-10-16 17:30, Ковалев Кирилл via Unbound-users

Re: is a very large local-data list a problem?

Hi Spike, The local-zones are stored in a red-black tree, so searching will be O(log n). Your memory usage will increase *a lot*. Unbound will create an 8k memory region for every local-zone containing local-data, so you will need ~40GB of memory. Do you really need the local data for each zone?

Re: no unbound-control without certificates?

Hi Andreas, Are you using OpenSSL 1.1? Apparently it introduced security levels and by default doesn't allow aNULL ciphers. I just commited a version to our repository that sets the security level to 0 for the remote control ssl context when control-use-cert is no. Regards, -- Ralph On 03-11-16

Re: Prefetch threshold

Hi Andrew, So, you would like to serve expired data (with TTL 0) and use prefetching to renew data before it expires? That is exactly what the serve-expired option does. This option is available in Unbound 1.6.0. Regards, -- Ralph On 08-12-16 20:56, Drew Rampulla (drampull) via Unbound-users

Re: Unbound 1.6.0rc1 prerelease

Hi Spike, On 08-12-16 17:05, Spike via Unbound-users wrote: > Fantastic improvement, thanks Wouter and everybody else that made this > possible. > > A couple questions from an unbound noob regarding the new features, bear > with me please: > > - "Added two flags to module_qstate", does this

Re: Unbound 1.6.0rc1 prerelease

Hi Spike, On 15-12-16 05:04, Spike wrote: > thanks for the insight Ralph. > > comments inline below: > > On Mon, Dec 12, 2016 at 2:19 AM Ralph Dolmans via Unbound-users > <unbound-users@unbound.net <mailto:unbound-users@unbound.net>> wrote: > > A

Re: Why are unbound-control local_zone_remove/local_zone/local_data so incredibly slow ?

Local data is handled before the cache lookup. So the cache entries will be ignored as soon as there is matching local data. Regards, -- Ralph On 01-12-16 16:53, Over Dexia via Unbound-users wrote: > Am 30.11.2016 um 17:41 schrieb Tim Smith via Unbound-users: >> Interesting idea, nice bit of

Re: Why are unbound-control local_zone_remove/local_zone/local_data so incredibly slow ?

Hi, Unbound-control sets up a TLS connection for every command. Setting up 30k TLS connections one after another does take some time. If your unbound daemon and unbound-control are on the same machine you could try to communicate over a secured local socket and disable control-use-cert. This

Re: Stub zone behavior

Hi Mike, I meant unbound's working directory, configurable using the "directory" config element. Regards, -- Ralph On 23-12-16 17:13, Mike Brown wrote: > On Thu, Dec 22, 2016 at 04:22:26PM +0100, Ralph Dolmans wrote: >> Hi Mike, >> >> On 21-12-16 15:12, Mike Brown wrote: >>> I fixed the names

Re: private-address defaults in example config

Hi Luis, According to that RFC, only addresses with the L bit (=8th bit) set to 1 are locally assigned. So that makes the fd00::/8 prefix. Section 4.4 of that RFC mentions that the locally assigned addresses are not recommended to be installed in the DNS. It also recommends returning NXDOMAIN

Re: RPZ support in Unbound?

Hi Marco, Unbound does not have RPZ support. Reporter of bug #839 creates an Unbound configuration file containing local-zone elements using an RPZ feed. Regards, -- Ralph On 12-04-17 11:53, Marco Pizzoli via Unbound-users wrote: > Hi all, > I would like to understand better what is the support

Re: Unbound 1.6.2rc1 pre-release

Hi Andreas, On 20-04-17 10:23, A. Schulze via Unbound-users wrote: > May this "new EDNS processing framework" also support RFC 8145 soon? > That would be helpful for the YETI DNS project for example. We are planning to implement the key tag query part of RFC 8145 soon. Will that be sufficient

Re: dns redirect to captive url

Hi Joris, Unbound 1.6.0 introduced CNAME based redirects using local-data elements. It that what you are looking for? Something like: local-zone: malwaredomains.com redirect local-data: "malwaredomains.com. CNAME sorry.mydomain.tld." Regards, -- Ralph On 21-04-17 18:24, Joris L. via

Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

Hi Andreas, Any chance that the nameservers Unbound is sending queries to are not on the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to whitelisted addresses. Regards, -- Ralph On 24-04-17 10:43, A. Schulze via Unbound-users wrote: > > W.C.A. Wijngaards via Unbound-users: >

Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

not sound like a wise thing to do. Regards, -- Ralph On 24-04-17 11:47, A. Schulze via Unbound-users wrote: > > Ralph Dolmans via Unbound-users: > >> Any chance that the nameservers Unbound is sending queries to are not on >> the ECS whitelist (send-client-subnet)? Unboun

Re: Problems about forward zone for subdomain

Hi Newell, On 14-09-17 13:52, Newell Zhu via Unbound-users wrote: > > What does it mean? > > I want to find NS for www.example.com , It it > result to ab.example.com instead of example.com > . > > > Am I make mistakes or it’s

Re: internal error: looping module stopped

Hi Ales, Thanks for reporting. Do you have any non-default module enabled (subnetcache, ipsecmod, respip, ..)? -- Ralph On 20-09-17 08:18, Aleš Rygl via Unbound-users wrote: > Hello, > > While inspecting unbound logs after an upgrade to Unbound 1.6.0-3+deb9u1 I > have found some errors like

Re: Unbound 1.6.6 release

Hi Andreas, The default local-zone type for "localhost." changed from static to redirect, so that the default local-data applies to both localzone. and its subdomains. You can change your local-data domain to localhost., then it will still be available under

Re: internal error: looping module stopped

rness where > I can reproduce these. What additional information would be useful? > > On 09/20/2017 01:05 AM, Ralph Dolmans via Unbound-users wrote: >> Hi Ales, >> >> Thanks for reporting. Do you have any non-default module enabled >> (subnetcache, ipse

Re: DNS-over-TLS offered to clients; questions

Hi Phil, On 31-10-17 22:00, Phil Pennock via Unbound-users wrote: > Is 3 correct? No hostname or other identifier validation at all, so a > stolen cert from elsewhere issued by a trusted CA can then impersonate > DNS? Anyone know if there are any moves to, eg, look for an IP address > in the

Re: make ip-transparent option work on OpenBSD

Hi Florian, Not sure whether this was already reported back to you, but your patch has been applied to our code. Thanks! -- Ralph On 01-11-17 14:38, Florian Obser via Unbound-users wrote: > > OpenBSD supports SO_BINDANY socket option from BSD/OS since 2008. > > Thanks, > Florian > > Index:

Re: unbound forwarding local and dnssec proxy

Hi, On 13-11-17 06:02, A. Cutright via Unbound-users wrote: > I am uncertain as to how to configure unbound to do the following: > - forward local domains to a local authoritative server and not cache. Can you elaborate on the issue you are facing? You might want to change the forward-zone

Re: Windows 7 "warning: IPv6 protocol not available"

Hi Jefferson, Your specified IPv6 addresses are not valid, you can use the double colons (::) only once in an address. -- Ralph On 20-11-17 10:40, Jefferson Carpenter via Unbound-users wrote: > Hello, > > I'm trying to run an Unbound server on my PC for the purpose of > accessing Namecoin's

Re: internal error: looping module stopped

hat additional information would be useful? >> >> On 09/20/2017 01:05 AM, Ralph Dolmans via Unbound-users wrote: >>> Hi Ales, >>> >>> Thanks for reporting. Do you have any non-default module enabled >>> (subnetcache, ipsecmod, respip, ..)? >>> >

Re: 1.7.1 qname-minimisation and Akamai?

Hi Hakan, This is indeed related to the CNAME classification change in 1.7.1. After that change responses for the minimised queries can be treated as CNAME responses. Unbound has a limit in number of CNAMEs to follow to prevent loops, that limit is 8. Because the nameserver here gives CNAMEs for

Re: Multiple forward-addr: _ order of evaluation?

Hi Harry, On 10-01-18 06:31, Harry Schmalzbauer wrote: > Bezüglich Ralph Dolmans via Unbound-users's Nachricht vom 09.01.2018 > 10:53 (localtime): >> Hi Harry, >> >> Unbound selects forward addresses in the same way as it selects >> addresses for normal delegations. That is a random selection

Re: edns client subnet fallback or blacklisting?

Hi Dan, Thanks for reporting. That nameserver is really broken. They indicate to support EDNS0 and not support it at the same time. BADVERS must not be used for unknown options. The nameserver answers to EDNS0 queries, Unbound treats the server as if it can handle EDNS0. Unbound does not try to

Re: Multiple forward-addr: _ order of evaluation?

Hi Harry, Unbound selects forward addresses in the same way as it selects addresses for normal delegations. That is a random selection over the list of addresses with an RTT band of 400 msec. -- Ralph On 08-01-18 18:34, Harry Schmalzbauer via Unbound-users wrote: > Hello, > > I have defined a

Unbound 1.6.8 release

Hi, This is the unbound 1.6.8 release. https://www.unbound.net/downloads/unbound-1.6.8.tar.gz sha256 e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49 pgp https://www.unbound.net/downloads/unbound-1.6.8.tar.gz.asc This is a point release containing a fix for CVE-2017-15105. A full

Re: NXDOMAIN accepted despite NSEC not covering wildcard?

Hi Viktor, You are right. There is no proof that *.mx.marketconservative.com doesn't exist, this answer should be DNSSEC bogus. Unbound used both NSEC records. It proved the non existence of the wildcard label by generating it using the marketconservative.com NSEC record. The closest encloser

Re: 1.7.3: capsforid fallback response confusion

Hi Alex, QNAME minimisation was indeed not taken into consideration in the caps-for-id fallback code. I committed a fix that should make it work. Thanks, -- Ralph On 31-07-18 08:22, Alex Zorin via Unbound-users wrote: > Hi, > > Came across the curious case of a domain that appears to cause

Re: CNAME, DNSSEC & qname minimisation

Hi Alex, As mentioned in the bugzilla ticket wrt this issue (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4147): I just committed a fix that should resolve this bug. Thanks again for reporting!, -- Ralph On 13-08-18 17:58, Alexandre Wicquart via Unbound-users wrote: > Hello, > > > I

Re: CNAME, NXDOMAIN & qname minimisation

Hi Hauke, This behaviour is caused by the same bug as reported in bugzilla ticket #4147, for which I just committed a fix. Thanks for reporting, -- Ralph On 15-08-18 01:46, Hauke Lampe via Unbound-users wrote: > Hi. > > I read reports about qname minimisation and SERVFAIL responses in the >

Re: Unbound 1.7.0rc2 pre-release

Hi Andreas, On 08-03-18 21:29, A. Schulze via Unbound-users wrote: > - Aggressive use of NSEC is not so transparent to me. > unsure, what I really may expect here. Under which conditions is this > active? When this option is enabled Unbound will try to use cached NSEC records to generate an

Re: check "result" in dup_all()

Yes absolutely, thanks! On 28-03-18 18:46, Florian Obser via Unbound-users wrote: > diff --git services/authzone.c services/authzone.c > index 13e36b2c..fac8e4ed 100644 > --- services/authzone.c > +++ services/authzone.c > @@ -5946,7 +5946,7 @@ static char* > dup_all(char* str) > { >

Re: auth-zone and CNAME record...still not working?

Hi, Not sure what this classical handicap is, but why wouldn't you use local-data here? This should do the trick: local-zone: "git.internalzone.io" redirect local-data: "git.internalzone.io. CNAME git.realzone.com." -- Ralph On 29-03-18 16:03, jpdolz via Unbound-users wrote: > Hello guys, >