Hello,
https://nlnetlabs.nl/svn/unbound/trunk/winrc/README.txt mention two ways to
build unbound for windows.
- native build on windows
- crosscompile on fedora?
Does anybody do that actually? I would like to know how reliable
cross-compiling could be.
Andreas
W.C.A. Wijngaards via Unbound-users:
Unbound 1.7.3rc1 pre-release is available.
works without problems on my Small number of lab systems.
the contrib/fastrpz.patch may be renewed to apply without additional noise...
Andreas
Am 31.05.2018 um 15:36 schrieb W.C.A. Wijngaards via Unbound-users:
> There is a fix slated for the next release, which is as a patch below.
deployed that version on the host I mentioned earlier[1].
I'll see if hopefully nothing happen the next days...
Andreas
[1]
Am 28.05.2018 um 23:01 schrieb James Cloos via Unbound-users:
>
> I don't have the configure output; this is debian's compile
I'll try to recompile the Debian package to catch configure output ...
@James: which Debian Version?
Andreas
Matthew Stith via Unbound-users:
Unbound does not currently provide support for Response Policy Zone
(RPZ) but it has been stated in the past on the list that support for it
is on the roadmap of development. Is there any update on when RPZ will
be implemented and if there is any alpha/beta
Dmitri Kourennyi via Unbound-users:
More investigation results:
Since it seems to coincide with the auth-zone lookups, I will try
disabling it to see if the issue resolves itself.
similar observation: the systems I mentioned also had auth-zones enabled.
I removed the feature and now the
Dmitri Kourennyi via Unbound-users:
Most of the time, unbound works great. However, it seems that every
day when I
come back home and fire up my PC, a vast majority of queries no longer work.
Restarting unbound solves the issue.
Hello,
I've a system that also require restarting unbound
Yuri via Unbound-users:
I'm just wondering, why *NIX version works well, but windows not with DoT.
wild guess: an MTU issue?
Am 26.04.2018 um 10:09 schrieb W.C.A. Wijngaards via Unbound-users:
> Hi,
>
> Unbound 1.7.1rc1 pre-release is available:
> https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz
> sha256 46f48ef7c1dde9363d647edbb0f2bdee48be3ef0f53dbc1169f1076aae6ff4e6
> pgp
Am 01.04.2018 um 21:51 schrieb Paul Wouters via Unbound-users:
>
> We have a report of crashing unbound servers in fedora:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1562594
>
> Unfortunately, there is not much information there:
>
> Description of problem:
>
> Unbound 1.7.0 from
Hello,
is it possible to configure unbound to listen on more then one port for TLS?
I tried:
server:
access-control: 0.0.0.0/0 allow
interface: 0.0.0.0
tls-service-pem: "/path/to/fullchain"
tls-service-key: "/path/to/privkey"
interface: 0.0.0.0@853
tls-port: 853
interface:
Am 12.03.2018 um 10:45 schrieb W.C.A. Wijngaards via Unbound-users:
> Changes:
> - Added documentation for aggressive-nsec: yes.
I also suggest to say "Default is no" instead of "Default is off"
Andreas
Am 12.03.2018 um 10:45 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.7.0rc3 maintainers prerelease is available:
> Changes:
> - Added documentation for aggressive-nsec: yes.
typo: nonexistant -> nonexistent
Andreas
CCed list again - my fault
Am 12.03.2018 um 14:12 schrieb W.C.A. Wijngaards:
>> But unbound-control is some kind of `inconsistent`:
>> unbound know stub- forward- local- and now auth-zones but unbound-control
>> doesn't mention "auth"
>> If auth-zones are enabled, is there any unbound-control
Hello unbound+nsd developers,
not sure if you're aware of
https://datatracker.ietf.org/doc/draft-bortzmeyer-dprive-resolver-to-auth/
Do have any ideas if it's possible to implement such stuff in future unbound
and / or nsd releases?
Andreas
Am 08.03.2018 um 14:59 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.7.0rc2 maintainers prerelease is available:
>
> Changes:
> - Fixed contrib/fastrpz.patch, even though this already applied
> cleanly for me, now also for others.
> - patch to log creates keytag queries, from A.
Am 06.03.2018 um 11:02 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.7.0rc1 maintainers prerelease is available
Hello Wouter,
the feature list sounds promising!
3 points:
1.
contrib/fastrpz.patch apply but not without additional help from patch
I have a "fixed" version that apply
Robert Edmonds via Unbound-users:
I'm unable to resolve www.iana.org (aka ianawww.vip.icann.org) with
Unbound 1.6.7. Is this a problem with how the zones are signed, or is
Unbound being too strict?
just noticed, your question is 8 days old ...
there was a problem with iana.org on 2017-10-24
Robert Edmonds via Unbound-users:
validation failure : no keys have a DS with
algorithm RSASHA1-NSEC3-SHA1 from 2001:500:8f::53 for key icann.org.
while building chain of trust
Robert,
did you compile unbound with "--disable-sha1"?
see
Am 05.10.2017 um 16:52 schrieb W.C.A. Wijngaards via Unbound-users:
> This is the unbound 1.6.7rc1 prerelease.
Debian lintian suggest:
doc/unbound-control.8.in: sucessfully -> successfully
doc/unbound-control.8.in: allow to-> allow one to
and these two warnings...
W.C.A. Wijngaards via Unbound-users:
Unbound 1.6.6 is available:
Bug Fixes:
- Redirect all localhost names to localhost address for RFC6761.
Hello,
I've a setup that monitor a running resolver on regular base.
To avoid the log is fooded with queries for "localhost" I found it
Ernie Luzar via Unbound-users:
when I issue drill facebook.com I get rcode NOERROR, but
drill facebook.com @8.8.8.8
I receive error msg Error: error sending query: Error creating socket
I believe 8.8.8.8 is one of googles main dns services. I also tried
using the dns ip for at and got
Am 18.09.2017 um 14:57 schrieb Ernie Luzar via Unbound-users:
> Hello list.
>
> I have installed the unbound port on Freebsd release 11.1. My host gets
> an dynamic ip address assigned from the ISP service I am using. This is
> all very common and normal. But as we all know, the ISP can change
Am 30.08.2017 um 15:51 schrieb Tony Finch:
> A. Schulze via Unbound-users <unbound-users@unbound.net> wrote:
>>
>> Any chance, someone implement "4.2. Synthesised HINFO RRset"
>> and let the operator choose 4.1 or 4.2?
>
> HINFO synthesis is only s
Hello,
building 1.6.5 my buildsystem fail to produce packages for Debian 9
and OpenSusE 42.3 (both 64bit)
...
[ 72s] ./unittest
[ 72s] [1503846266] unbound[10123:0] warning: duplicate response-ip
action for '192.0.1.0/24', overridden.
[ 72s] [1503846266] unbound[10123:0] warning:
W.C.A. Wijngaards via Unbound-users:
It is enabled by default, and implemented in Unbound 1.5.4. These are
the changelog entries from the download page:
found: ~unbound-source/service/cache/dns.c, search for 'Fill TYPE_ANY
response'
As Petr mentioned, the responses aren't necessary
Am 22.06.2017 um 14:34 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.6.4rc2 release candidate 2 is available:
> This release candidate fixes a recently found heap overflow, and adds a
> contrib patch for fastrpz.
looks good here, too
the fastrpz test are not yet finished
Andreas
W.C.A. Wijngaards via Unbound-users:
Unbound 1.6.4rc1 release candidate 1 is available:
compiles and runs.
lintian found one typo: daemon/remote.c, line 266
s/coult/could/
This release contains key tag signaling RFC8145 support.
btw: to "see" this, I temporary modified the logline:
Am 01.06.2017 um 11:12 schrieb W.C.A. Wijngaards via Unbound-users:
> Use this patch on code that has the previous patch applied.
Yea, it works!
attached my full patch (I had to add an explicit type cast)
with the patch applied and unbound restarted I did "dig @::1 kernel-error.de.
dnskey
Am 31.05.2017 um 14:15 schrieb A. Schulze via Unbound-users:
>> Below is a patch, but I don't know if it works, it makes the code fallthrough
>> to try normal TCP writes when FASTOPEN writes fail.
>
> I'll try the patch and report results...
compiled and installed but no ch
W.C.A. Wijngaards via Unbound-users:
There is only a configure time option and not a config option. We don't
want it to be a config option, we want it to work all the time.
sounds reasonable
Below is a patch, but I don't know if it works, it makes the code fallthrough
to try normal TCP
A. Schulze via Unbound-users:
On a plattform with broken TCP FASTOPEN support (even if not
supported by the kernel)
I currently cant disable it, I would need an other unbound binary - right?
is there really no option to disable TCP_FASTOPEN usage by configuration?
clarification
W.C.A. Wijngaards via Unbound-users:
The failure you see is in the code for TCP FASTOPEN. It was enabled
when you gave the configure option --enable-tfo-client.
TCP FASTOPEN...
your explanation match perfectly to my observation :-)
I just tried to disable any ipfilter on the failing host.
Hello,
the Domain use huge keys: https://zonemaster.net/test/f8b42c485139ea99
Also DNSViz http://dnsviz.net/d/kernel-error.de/dnssec/ show warnings.
But most of my unbound-host resolve without problems except instances on
"cheap hosted virtual machines"
As far as I can tell all unbound servers
Ralph Dolmans via Unbound-users:
Are you sure you are not looking at subqueries generated by Unbound,
like root priming queries or queries for the DNSKEY? We do not add ECS
data to these queries.
found it!
(for queries send to ipv4 as well as ipv6 name servers)
and, surprise:
the data aren't
W.C.A. Wijngaards via Unbound-users:
Thanks for the bugreport, I've added coded for the dnstap and dnscrypt
variables, for unbound-checkconf and unbound-control. The fix is not
for 1.6.2 because it is in release, but for 1.6.3 (you can get it from
the code repository).
Thanks Wouter,
I
Ralph Dolmans via Unbound-users:
Any chance that the nameservers Unbound is sending queries to are not on
the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to
whitelisted addresses.
Ralf.
2000::/3 should cover any IPv6 nameserver.
just added "send-client-subnet: 0.0.0.0/0"
W.C.A. Wijngaards via Unbound-users:
Unbound 1.6.2rc1 maintainers prerelease is available:
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
Hello,
I have added to unbound.conf:
server:
module-config: "subnetcache
Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
>
>
> Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
>
>> Unbound 1.6.2rc1 maintainers prerelease is available:
>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.6.2rc1 maintainers prerelease is available:
> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
> DS records. NSEC3 is not disabled.
I tried --disable-sha1 and found any org. zone no longer
Hello,
unbound-checkconf /path/to/unbound.con -o [option] should echo the option value.
That happen for all options valid in "server:" section as well as in "control:"
section.
But if I check for "dnstap-enable" (or "dnscrypt-enable") unbound-checkconf
fail.
... fatal error: cannot print
Am 20.04.2017 um 13:31 schrieb Ralph Dolmans via Unbound-users:
> We are planning to implement the key tag query part of RFC 8145 soon.
> Will that be sufficient for you or do you also need the EDNS option?
Hello Ralph,
I read RFC again and am now aware of /two/ options to transport the key
Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.6.2rc1 maintainers prerelease is available:
works noiseless here since a week.
one question came up when I combine these two announcements:
> - Add trustanchor.unbound CH TXT that gets a response with a number
>
Am 10.04.2017 um 09:07 schrieb W.C.A. Wijngaards via Unbound-users:
> This install is triggered by the option --enable-event-api . Just
> enabling --with-libevent does not trigger the install by itself.
Oops,
reading "configure --help" is an option. Uncommon but sometimes helpful :-)
works
Am 22.03.2017 um 15:24 schrieb Paul Wouters via Unbound-users:
>
> When building unbound with --with-libevent support, the make install
> phase should also call make unbound-event-install or else unbound-event.h
> does not get installed and the header file for using the unbound event
>
Am 20.02.2017 um 10:12 schrieb Ralph Dolmans via Unbound-users:
> Please note that this patch has some issues. We are working on a
> complete implementation.
I suspect the patch may have rough corners so it's good to know your working on
a better implementation...
Andreas
A. Schulze via Unbound-users:
Am 14.02.2017 um 15:00 schrieb W.C.A. Wijngaards via Unbound-users:
Unbound 1.6.1rc3 is available:
compiled Debian Jessie+Stretch without warnings.
"log-replies:yes" is cool :-)
Now, some days later, I like to announce the rc3 not only compile but
Am 14.02.2017 um 15:00 schrieb W.C.A. Wijngaards via Unbound-users:
> Unbound 1.6.1rc3 is available:
compiled Debian Jessie+Stretch without warnings.
"log-replies:yes" is cool :-)
Andreas
Am 24.01.2017 um 22:11 schrieb Jac Backus:
> But for mail.crypsys.nl dnsviz.net shows only an A record, but no TXT record:
http://dnsviz.net/d/mail.crypsys.nl/dnssec/
- click "update now"
- click "Advanced options (forced ancestor analysis, recursive, explicit
delegation, etc.)"
- select
Am 24.01.2017 um 16:56 schrieb W.C.A. Wijngaards via Unbound-users:
> It means that the contents of the TXT record have been altered, and the
> text in it does not match the RRSIG digital signature. If this was a
> spurious technical failure, it could be due to upper/lowercase somehow
>
Sonic via Unbound-users:
On Wed, Nov 16, 2016 at 3:21 PM, James Ralston via Unbound-users
wrote:
module-config: "iterator"
On the systems where I'm using just 'module-config: "iterator"' there
is no root.hints or named.cache file and no attempt is made by unbound
Ralph Dolmans via Unbound-users:
Are you using OpenSSL 1.1? Apparently it introduced security levels and
by default doesn't allow aNULL ciphers. I just commited a version to our
repository that sets the security level to 0 for the remote control ssl
context when control-use-cert is no.
Ralph Dolmans via Unbound-users:
Hi Andreas,
Are you using OpenSSL 1.1? Apparently it introduced security levels and
by default doesn't allow aNULL ciphers. I just commited a version to our
repository that sets the security level to 0 for the remote control ssl
context when control-use-cert
Hello,
after update from 1.5.9 to 1.5.10 "unbound-control reload" no longer work:
the relevant unbound.conf section:
remote-control:
control-enable: yes
control-interface: /path/to/unbound-control.socket
control-use-cert: no
# ls -la /path/to/unbound-control.socket
Hello,
I spend some time to compile unbound-1.5.9 and ldns-1.6.17 with openssl-1.1.0b.
The current results you find attached.
WARNING:
unbound and ldns compile - unbound with warnings.
treat the patches as if it will break major things - no guarantee!
don't use them as they are.
please comment
W.C.A. Wijngaards via Unbound-users:
The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and
thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then
stops.
Qname minimisation in unbound assumes that dnssec signed domains will
do their NXDOMAIN correctly. (Note the
Hello,
messages to bsws.de and yos.net (same mx) fail because unbound could
not resolve the names.
http://dnsviz.net/d/yos.net/dnssec/ show some strange warnings.
I found two ways general to solve the problem:
- disable dnssec validation at all
- disable qname-minimisation
last resort:
Am 24.08.2016 um 19:05 schrieb Benny Pedersen via Unbound-users:
On 2016-08-24 10:39, A. Schulze via Unbound-users wrote:
forward-zone:
name: "10-in-addr.arpa."
forward-addr: ${nameserver1-ip}
forward-addr: ${nameserver2-ip}
add
forward-first: yes
does this fix i
A. Schulze via Unbound-users:
stub-zone:
name: "10.in-addr.arpa."
stub-addr: ${nameserver1-ip}
stub-addr: ${nameserver2-ip}
Everything is fine as long as both nameservers are up.
If one server fail (simple case: host up, nameserver down) client
get "n
Hello
we still have an unsolved issue and cannot find a solution. It's still
the same as
https://www.unbound.net/pipermail/unbound-users/2015-October/004057.html ...
test-setup:
client -> router -> unbound -> router -> nameserver1 + nameserver2
client's /etc/resolv.conf has only one
A. Schulze:
with unbound-1.5.9, we hit $subject.
"qname-minimisation" was enabled. Everything is fine if I disable the feature.
# posttls-finger eldinhadzic.com
posttls-finger: using DANE RR: _25._tcp.eldinhadzic.com IN TLSA 2 1 2
Ralph Dolmans:
Do you have QNAME minimisation enabled?
yes
This simple patch for 1.5.9 solves this problem.
I confirm the patch solve the observed issue.
Many thanks, you saved my day!
Andreas
A. Schulze via Unbound-users:
$host 2001:a60:f0b4:e503:2cdb:beff:feaa:880b
unbound <= 1.5.8: success
unbound = 1.5.9: SERVFAIL
just noticed this happen only on a Debian Squeeze host
On Debian Jessie I get the rDNS.
Andreas
j dubbz via Unbound-users:
- I suppose this might be determined by the log verbosity, so with
verbosity: 1 or verbosity: 3, etc.. how does this come into play?
we use
do-daemonize: no
logfile: ""
log-queries: yes
val-log-level: 2
that let unbound log the queries on stdout which is
A. Schulze via Unbound-users:
- just upgraded and no visible problems so far
Hello,
there is a change in unbound-1.5.9 which make some IPv6 addresses
un-resolvable.
$host 2001:a60:f0b4:e503:2cdb:beff:feaa:880b
unbound <= 1.5.8: success
unbound = 1.5.9: SERVFAIL
One reason
Am 13.06.2016 um 16:57 schrieb W.C.A. Wijngaards via Unbound-users:
Unbound 1.5.9 is available:
http://www.unbound.net/downloads/unbound-1.5.9.tar.gz
- unbound.conf.5.in: the new text for freebind: "adress" should be "address"
- just upgraded and no visible problems so far
Thanks for
Noah Robin via Unbound-users:
In my environment, we have a plant of internal recursive servers for our
data center and separate plants of authoritative servers; something like
65-85% of the traffic outbound from our recursive plants (several hundred
queries/sec per client machine) is destined
Miguel Miranda via Unbound-users:
Hello to all, im installing a load balancer and i want to run multiple
unbound instances, im doing this because my it experts says it is not
recommended to have a huge cache (i have 32GB available) it is better to
have 2 or 3 GB cache in multiple unbound
Hello,
as far as I understand the unbound.conf(5) the communication between
unbound-control and unbound itself
always require the setup of an TLS connection. Is this also true when
we setup control-interface as a unix socket.
But we could set
control-use-cert: no
control-interface:
W.C.A. Wijngaards via Unbound-users:
The 1.5.8rc1 release candidate is available
http://www.unbound.net/downloads/unbound-1.5.8rc1.tar.gz
works as expexted here (Debian Jessie)
Thanks for unbound!
Andreas
Daisuke HIGASHI:
All postbank.de nameservers are sending malformed UDP reply with TC.
But my Unbound (1.5.7) resolver retries query via TCP to get correct answer.
Your firewall is dropping malformed DNS messages or TCP DNS queries?
not that I know / no firewall in the way
and tcp is
Hernan Saltiel via Unbound-users:
just to let those users connect to their PCs using DNS records, and
not IP addresses,
one possibility would be a dyndns service.
Andreas
W.C.A. Wijngaards via Unbound-users:
My guess is both do not work and the TTL is different.
not impossible ...
Normally, unbound should try both addresses, and I guess it is
trying them but
the other also does not work. unbound-control lookup can be used to
get the info on those two IP
Hello,
we have the following configuration to point unbound-1.5.4 to our
private nameservers:
server:
local-zone: "10.in-addr.arpa." transparent
domain-insecure: "10.in-addr.arpa."
stub-zone:
name: "private.example.com."
stub-addr: "10.0.1.53"
stub-addr: "10.0.2.53"
stub-zone:
Hello,
the RFC 6761 give some advise how caching DNS servers SHOULD
handle queries for reserved domains. Mostly it say
"do not send queries to the root name servers"
... point 4 in any case ...
http://tools.ietf.org/html/rfc6761#section-6.2 ( domain "test." )
75 matches
Mail list logo