Re: Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)

Ralf Hildebrandt via Unbound-users wrote: > Before the update (runnung unbound 1.5.8-1ubuntu1.1) we were seeing query > times around 20ms: After the upgrade (1.6.7-1ubuntu2.1) those rose to > 40ms. > > See these graphs: > https://www.arschkrebs.de/bugs/dnssvc30d.png > https://www.arschkrebs.de/bug

Re: unbound doesn't remove pidfile

Shawn Zhou via Unbound-users wrote: > I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the > pid file after it's stopped. I believe the unbound packaging on Ubuntu xenial is old enough that it still uses the sysv generator to create the service unit. You will probably want

Re: NOTIMP for unrecognized qtypes

Petr Špaček via Unbound-users wrote: > Well, the spec is from 1987. Even the meaning of MUST/SHOULD etc. was > not standardized yet back then ... Even worse, this language appears to have been copied verbatim from RFC 883, which is even older (1983) :-) -- Robert Edmonds edmo...@debian.org

Re: NOTIMP for unrecognized qtypes

Jacob Hoffman-Andrews via Unbound-users wrote: > I'm trying to write some documentation for users of Let's Encrypt about > CAA. I believe it's the case that standards-conformant authoritative > resolvers should return NOERROR for qtypes they don't recognize, rather > than NOTIMP. Is this correct? I

Re: Trust rules and DNSSEC signatures

Florian Weimer via Unbound-users wrote: > * Paul Wouters: > > >> On Apr 27, 2017, at 08:11, Florian Weimer via Unbound-users > >> wrote: > >> > >> Does Unbound use otherwise non-trustworthy data simply because it has > >> valid DNSSEC signatures? > >> > > > > How can data be signed and validate

Re: Trust rules and DNSSEC signatures

Florian Weimer via Unbound-users wrote: > Does Unbound use otherwise non-trustworthy data simply because it has > valid DNSSEC signatures? > > I'm asking because of this recent dnsop thread: > > Hi, Florian: It's been a

Re: trust-anchor-file, auto-trust-anchor-file, trust-anchor

Edward Lewis via Unbound-users wrote: > Is the use of trust-anchor-file for the public root zone KSK popular? Do > folks use it much at all (regardless of zone)? The same for trust-anchor > statements, which appear to be in-line of the configuration file. Hi, Ed: We ship the Debian package of

Re: [NLnet Labs Maintainers] Unbound 1.6.1rc3 prerelease

W.C.A. Wijngaards wrote: > Unbound 1.6.1rc3 is available: > https://www.unbound.net/downloads/unbound-1.6.1rc3.tar.gz Hi, I notice that unbound-anchor from 1.6.1rc3 produces two DSes when run with "-F" (one for KSK-2010, one for KSK-2017), but it only produces a single DNSKEY when run without "-F

nettle support? (was: Re: Unbound 1.5.7 release)

W.C.A. Wijngaards via Unbound-users wrote: > - Fix #594. libunbound: optionally use libnettle for crypto. > Contributed by Luca Bruno. Added --with-nettle for use with > --with-libunbound-only. Hi, I've received a request to enable this by default in the Debian package of libunbound: ht

Re: unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

Paul Wouters via Unbound-users wrote: > On Fri, 3 Jun 2016, Daisuke HIGASHI wrote: > > > Subject: Re: unbound listening sporadically on 0.0.0.0 high ports when > > configured for 127.0.0.1 ? > > > My guess is: UDP sockets for outgoing query > > from Unbound to authoritative servers. > > >

Re: Testing KSK Rollover

Neal Manaktola via Unbound-users wrote: > I understand that in order to follow RFC 5011, an option must be set in > libunbound "auto-trust-anchor-file”. That file will get updated with the > correct trust anchors. > Is there any way we can test this functionality is working as intended? Hi, Neal

Re: L-Root IPv6 address renumbering

W.C.A. Wijngaards via Unbound-users wrote: > The sysadmin edits the root.hints file? The unbound.conf file is just > pointing to the root.hints file. I don't really see sysadmins editing > the root.hints file. Only very sporadic, perhaps, updating it > themselves. But then they have to keep doi

Re: L-Root IPv6 address renumbering

Dave Warren via Unbound-users wrote: > On 2016-03-16 10:46, Robert Edmonds via Unbound-users wrote: > >Not quite, I want to avoid two things: > > > >1) The sysadmin should never have to update the root hints by hand. > >"apt update && apt upgrade" shoul

Re: L-Root IPv6 address renumbering

W.C.A. Wijngaards via Unbound-users wrote: > But I think just setting the configuration option for root-hints in > unbound.conf is probably just what you want? Do you still need to be > able to set a default value for the root-hints file location, or is it > just as good to set it in unbound.conf

Re: L-Root IPv6 address renumbering

W.C.A. Wijngaards via Unbound-users wrote: > I have updated the default root hints that ship inside the source code > of Unbound (in the code repository, for future releases). Thank you for > the notification. > > Users can upgrade the root hints right now by editing the named.root (or > named.ca

Re: python unbound issues

Spike Morelli (DRBA) via Unbound-users wrote: > 1) unbound-checkconfig complains that the python module isn't there: > > [1456179172] unbound-checkconf[5330:0] fatal error: module conf 'python > iterator' is not known to work > > looking at the source code this seems to be due to WITH_PYTHONMODUL

Re: [patch] insecure-lan-zones

Dag-Erling Smørgrav via Unbound-users wrote: > I hope I got the Makefile.in part right - it's pretty gross. Why don't > you use automake? +1 to Automake :-) Hacking on Unbound's Makefile.in is not fun. -- Robert Edmonds edmo...@debian.org

Unbound and intermittent network connectivity?

Hi, I have a few recent bug reports from Debian users that Unbound stops resolving after brief interruptions in network connectivity. Especially from users on laptops, which are typically not as well-connected as servers or workstations with wired Ethernet connections. https://bugs.debian.org/cg

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Tomas Hozza via Unbound-users wrote: > On 04.11.2015 17:35, Phil Mayers wrote: > > The code tries to open an IPv6 socket, the kernel tries to load the module, > > SELinux denies and logs this. Each of these items is by design. Which are > > you suggesting should change? > > I think it makes sens

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Phil Mayers via Unbound-users wrote: > On 04/11/2015 17:21, Robert Edmonds wrote: > >Is the problem perhaps that "ipv6.disable=1" on the kernel command line > >should be accompanied by "alias net-pf-10 off" in the modprobe > >configuration in order to prevent useless autoloading attempts? > > Is t

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Hi, Phil Mayers via Unbound-users wrote: > On 04/11/2015 15:49, Tomas Hozza wrote: > > >If you have some strong technical argument for this behavior I would > >be more than glad to hear it. The reason is that similar people will > >fight hard against having Unbound as the default DNS resolver in

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Paul Wouters via Unbound-users wrote: > FYI: > > rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in > /etc/sysctl.conf > > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Paul Hi, Paul: I'm a bit confused. unbound-anchor is an ordinary program that uses the soc

Re: unbound and systemd

Sami Kerola via Unbound-users wrote: > The stuff I did to avoid pkg-config is not nice. Fixing that would > require dependency that not all projects agree. What is your view > to add pkg-config dep? Hi, Using pkg-config is the documented way to detect the correct library to link against for libsy

draft-ietf-dnsop-root-loopback questions

Hi, draft-ietf-dnsop-root-loopback (https://tools.ietf.org/html/draft-ietf-dnsop-root-loopback-05) specifies a technique to run a copy of the root zone on a loopback address in order to "decrease the round trip time and prevent observation of requests". Appendix B shows an example configuration f

Re: inconsistent forward-zone behavior between config files, unbound-control

A. Schulze via Unbound-users wrote: > Am 22.09.2015 um 19:02 schrieb Mike Brown via Unbound-users: > >* by default, queries go to my ISP's resolvers (Comcast: 75.75.75.75 & > >75.75.76.76) > why would you do that? Comcast's 75.75.75.75 and 75.75.76.76 nameservers are anycasted. 75.75.75.75 in part

Re: rfc6761 compliance

W.C.A. Wijngaards via Unbound-users wrote: > It is not a particularly heavy root server load to mitigate, less code > is better and easier, the unblock-lan-zones statement is a frequently > asked question from our users. That said, we could add new code for > this (and .onion?). Hi, Wouter: I wo

Re: rfc6761 compliance

A. Schulze via Unbound-users wrote: > Hello, > > the RFC 6761 give some advise how caching DNS servers SHOULD > handle queries for reserved domains. Mostly it say > "do not send queries to the root name servers" > > ... point 4 in any case ... > http://tools.ietf.org/html/rfc6761#section-6.2 ( do

Re: Query logging performance

W.C.A. Wijngaards via Unbound-users wrote: > On 03/08/15 19:50, Darren Spruell via Unbound-users wrote: > > Unbound's documentation mentions that query logging can have very > > adverse performance on server operation. I was curious if the > > project feels this has been optimized to the degree po

Re: Using unbound-anchor for non-default trust anchor

Edward Lewis via Unbound-users wrote: > unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org. > > I am trying to test RFC 5011 capabilities by following these websites: > > http://keyroll.systems > and > http://icksk.dnssek.info/fauxroot.html > > Goal is to run unbound-ancho