This doesn't seems to be the case: root@dbengine-ent-rm-01:~ # dig +short rs.dns-oarc.net txt rst.x1008.rs.dns-oarc.net. rst.x1968.x1008.rs.dns-oarc.net. rst.x2454.x1968.x1008.rs.dns-oarc.net. "74.125.47.142 DNS reply size limit is at least 2454" "74.125.47.142 sent EDNS buffer size 4096" "Tested at 2016-03-16 11:09:54 UTC" root@dbengine-ent-rm-01:~ #
Is there any "simple" way to do a EDNS query directly to a specific DNS? Ok, I'll ask google about that :) --- Andrea Brancatelli Schema31 S.p.a. Responsabile IT ROMA - BO - FI - PA ITALY Tel: +39. 06.98.358.472 Cell: +39 331.2488468 Fax: +39. 055.71.880.466 Società del Gruppo SC31 ITALIA Il 2016-03-15 13:53 Matthew Seaman ha scritto: > On 03/15/16 11:28, Andrea Brancatelli wrote: > >> Hello everybody, >> >> we're suddenly having problems with unbound on almost all of our servers >> and I cannot really understand why. >> >> To make a long story short, we use this forward.conf: >> >> root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf >> # This file was generated by local-unbound-setup. >> # Modifications will be overwritten. >> forward-zone: >> name: . >> forward-addr: 8.8.8.8 >> forward-addr: 8.8.4.4 >> >> Enabling this: >> >> auto-trust-anchor-file: /var/unbound/root.key >> >> in /etc/unbound/unbound.conf gives me this: >> >> root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org >> ;; connection timed out; no servers could be reached >> >> simply disabling that line gives me this: >> >> root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org >> update.freebsd.org is an alias for update5.freebsd.org. >> update5.freebsd.org has address 204.9.55.80 >> update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 >> update5.freebsd.org mail is handled by 0 . >> >> What's going on? >> >> root@dbengine-ent-rm-01:/var/unbound # freebsd-version >> 10.2-RELEASE-p13 > > Do you have a firewall between those machines and the Internet? Does > it assume that DNS queries never use anything more than 512byte UDP > packets? Does it try and rewrite data in DNS queries? Doing either of > those things will cause breakage when using a DNSSEC enabled DNS > resolver -- and DNSSEC support is pretty much the whole point of > local_unbound. > > If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it > should show you if you have any problems with reply lengths. Firewalls > that try and modify DNS queries on the fly just need to be eradicated. > It's a dumb idea and indistinguishable from certain types of malicious > attack. > > Cheers, > > Matthew _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"