building unbound for windows

Hello, https://nlnetlabs.nl/svn/unbound/trunk/winrc/README.txt mention two ways to build unbound for windows. - native build on windows - crosscompile on fedora? Does anybody do that actually? I would like to know how reliable cross-compiling could be. Andreas

Re: Unbound 1.7.3rc1 pre-release

W.C.A. Wijngaards via Unbound-users: Unbound 1.7.3rc1 pre-release is available. works without problems on my Small number of lab systems. the contrib/fastrpz.patch may be renewed to apply without additional noise... Andreas

Re: Jostle logic seems to randomly stop working

Am 31.05.2018 um 15:36 schrieb W.C.A. Wijngaards via Unbound-users: > There is a fix slated for the next release, which is as a patch below. deployed that version on the host I mentioned earlier[1]. I'll see if hopefully nothing happen the next days... Andreas [1]

Re: Unbound 1.7.1 failing on some kvm servers

Am 28.05.2018 um 23:01 schrieb James Cloos via Unbound-users: > > I don't have the configure output; this is debian's compile I'll try to recompile the Debian package to catch configure output ... @James: which Debian Version? Andreas

Re: Response Policy Zone Support

Matthew Stith via Unbound-users: Unbound does not currently provide support for Response Policy Zone (RPZ) but it has been stated in the past on the list that support for it is on the roadmap of development. Is there any update on when RPZ will be implemented and if there is any alpha/beta

Re: Jostle logic seems to randomly stop working

Dmitri Kourennyi via Unbound-users: More investigation results: Since it seems to coincide with the auth-zone lookups, I will try disabling it to see if the issue resolves itself. similar observation: the systems I mentioned also had auth-zones enabled. I removed the feature and now the

Re: Jostle logic seems to randomly stop working

Dmitri Kourennyi via Unbound-users: Most of the time, unbound works great. However, it seems that every day when I come back home and fire up my PC, a vast majority of queries no longer work. Restarting unbound solves the issue. Hello, I've a system that also require restarting unbound

Re: DNS over TLS not working

Yuri via Unbound-users: I'm just wondering, why *NIX version works well, but windows not with DoT. wild guess: an MTU issue?

Re: Unbound 1.7.1rc1 pre-release

Am 26.04.2018 um 10:09 schrieb W.C.A. Wijngaards via Unbound-users: > Hi, > > Unbound 1.7.1rc1 pre-release is available: > https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz > sha256 46f48ef7c1dde9363d647edbb0f2bdee48be3ef0f53dbc1169f1076aae6ff4e6 > pgp

Re: unbound 1.7.0 crashes

Am 01.04.2018 um 21:51 schrieb Paul Wouters via Unbound-users: > > We have a report of crashing unbound servers in fedora: > > https://bugzilla.redhat.com/show_bug.cgi?id=1562594 > > Unfortunately, there is not much information there: > > Description of problem: > > Unbound 1.7.0 from

specify multiple TLS-Ports?

Hello, is it possible to configure unbound to listen on more then one port for TLS? I tried: server: access-control: 0.0.0.0/0 allow interface: 0.0.0.0 tls-service-pem: "/path/to/fullchain" tls-service-key: "/path/to/privkey" interface: 0.0.0.0@853 tls-port: 853 interface:

Re: Unbound 1.7.0rc3 pre-release

Am 12.03.2018 um 10:45 schrieb W.C.A. Wijngaards via Unbound-users: > Changes: > - Added documentation for aggressive-nsec: yes. I also suggest to say "Default is no" instead of "Default is off" Andreas

Re: Unbound 1.7.0rc3 pre-release

Am 12.03.2018 um 10:45 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.7.0rc3 maintainers prerelease is available: > Changes: > - Added documentation for aggressive-nsec: yes. typo: nonexistant -> nonexistent Andreas

Re: Unbound 1.7.0rc3 pre-release

CCed list again - my fault Am 12.03.2018 um 14:12 schrieb W.C.A. Wijngaards: >> But unbound-control is some kind of `inconsistent`: >> unbound know stub- forward- local- and now auth-zones but unbound-control >> doesn't mention "auth" >> If auth-zones are enabled, is there any unbound-control

support for draft-bortzmeyer-dprive-resolver-to-auth

Hello unbound+nsd developers, not sure if you're aware of https://datatracker.ietf.org/doc/draft-bortzmeyer-dprive-resolver-to-auth/ Do have any ideas if it's possible to implement such stuff in future unbound and / or nsd releases? Andreas

Re: Unbound 1.7.0rc2 pre-release

Am 08.03.2018 um 14:59 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.7.0rc2 maintainers prerelease is available: > > Changes: > - Fixed contrib/fastrpz.patch, even though this already applied > cleanly for me, now also for others. > - patch to log creates keytag queries, from A.

Re: Unbound 1.7.0rc1 pre-release

Am 06.03.2018 um 11:02 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.7.0rc1 maintainers prerelease is available Hello Wouter, the feature list sounds promising! 3 points: 1. contrib/fastrpz.patch apply but not without additional help from patch I have a "fixed" version that apply

Re: Validation failure for www.iana.org?

Robert Edmonds via Unbound-users: I'm unable to resolve www.iana.org (aka ianawww.vip.icann.org) with Unbound 1.6.7. Is this a problem with how the zones are signed, or is Unbound being too strict? just noticed, your question is 8 days old ... there was a problem with iana.org on 2017-10-24

Re: Validation failure for www.iana.org?

Robert Edmonds via Unbound-users: validation failure : no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 2001:500:8f::53 for key icann.org. while building chain of trust Robert, did you compile unbound with "--disable-sha1"? see

Re: Unbound 1.6.7rc1 pre-release

Am 05.10.2017 um 16:52 schrieb W.C.A. Wijngaards via Unbound-users: > This is the unbound 1.6.7rc1 prerelease. Debian lintian suggest: doc/unbound-control.8.in: sucessfully -> successfully doc/unbound-control.8.in: allow to-> allow one to and these two warnings...

Re: Unbound 1.6.6 release

W.C.A. Wijngaards via Unbound-users: Unbound 1.6.6 is available: Bug Fixes: - Redirect all localhost names to localhost address for RFC6761. Hello, I've a setup that monitor a running resolver on regular base. To avoid the log is fooded with queries for "localhost" I found it

Re: dynamic ip host & auto dns changes

Ernie Luzar via Unbound-users: when I issue drill facebook.com I get rcode NOERROR, but drill facebook.com @8.8.8.8 I receive error msg Error: error sending query: Error creating socket I believe 8.8.8.8 is one of googles main dns services. I also tried using the dns ip for at and got

Re: dynamic ip host & auto dns changes

Am 18.09.2017 um 14:57 schrieb Ernie Luzar via Unbound-users: > Hello list. > > I have installed the unbound port on Freebsd release 11.1. My host gets > an dynamic ip address assigned from the ISP service I am using. This is > all very common and normal. But as we all know, the ISP can change

Re: refuse ANY queries

Am 30.08.2017 um 15:51 schrieb Tony Finch: > A. Schulze via Unbound-users <unbound-users@unbound.net> wrote: >> >> Any chance, someone implement "4.2. Synthesised HINFO RRset" >> and let the operator choose 4.1 or 4.2? > > HINFO synthesis is only s

"make test" fail

Hello, building 1.6.5 my buildsystem fail to produce packages for Debian 9 and OpenSusE 42.3 (both 64bit) ... [ 72s] ./unittest [ 72s] [1503846266] unbound[10123:0] warning: duplicate response-ip action for '192.0.1.0/24', overridden. [ 72s] [1503846266] unbound[10123:0] warning:

Re: refuse ANY queries

W.C.A. Wijngaards via Unbound-users: It is enabled by default, and implemented in Unbound 1.5.4. These are the changelog entries from the download page: found: ~unbound-source/service/cache/dns.c, search for 'Fill TYPE_ANY response' As Petr mentioned, the responses aren't necessary

Re: [NLnet Labs Maintainers] Unbound 1.6.4rc2 pre-release

Am 22.06.2017 um 14:34 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.6.4rc2 release candidate 2 is available: > This release candidate fixes a recently found heap overflow, and adds a > contrib patch for fastrpz. looks good here, too the fastrpz test are not yet finished Andreas

Re: Unbound 1.6.4rc1 pre-release

W.C.A. Wijngaards via Unbound-users: Unbound 1.6.4rc1 release candidate 1 is available: compiles and runs. lintian found one typo: daemon/remote.c, line 266 s/coult/could/ This release contains key tag signaling RFC8145 support. btw: to "see" this, I temporary modified the logline:

Re: disable TCP-FASTOPEN

Am 01.06.2017 um 11:12 schrieb W.C.A. Wijngaards via Unbound-users: > Use this patch on code that has the previous patch applied. Yea, it works! attached my full patch (I had to add an explicit type cast) with the patch applied and unbound restarted I did "dig @::1 kernel-error.de. dnskey

Re: disable TCP-FASTOPEN

Am 31.05.2017 um 14:15 schrieb A. Schulze via Unbound-users: >> Below is a patch, but I don't know if it works, it makes the code fallthrough >> to try normal TCP writes when FASTOPEN writes fail. > > I'll try the patch and report results... compiled and installed but no ch

Re: disable TCP-FASTOPEN

W.C.A. Wijngaards via Unbound-users: There is only a configure time option and not a config option. We don't want it to be a config option, we want it to work all the time. sounds reasonable Below is a patch, but I don't know if it works, it makes the code fallthrough to try normal TCP

disable TCP-FASTOPEN (was: partial problem resolving kernel-error.de)

A. Schulze via Unbound-users: On a plattform with broken TCP FASTOPEN support (even if not supported by the kernel) I currently cant disable it, I would need an other unbound binary - right? is there really no option to disable TCP_FASTOPEN usage by configuration? clarification

Re: partial problem resolving kernel-error.de

W.C.A. Wijngaards via Unbound-users: The failure you see is in the code for TCP FASTOPEN. It was enabled when you gave the configure option --enable-tfo-client. TCP FASTOPEN... your explanation match perfectly to my observation :-) I just tried to disable any ipfilter on the failing host.

partial problem resolving kernel-error.de

Hello, the Domain use huge keys: https://zonemaster.net/test/f8b42c485139ea99 Also DNSViz http://dnsviz.net/d/kernel-error.de/dnssec/ show warnings. But most of my unbound-host resolve without problems except instances on "cheap hosted virtual machines" As far as I can tell all unbound servers

Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

Ralph Dolmans via Unbound-users: Are you sure you are not looking at subqueries generated by Unbound, like root priming queries or queries for the DNSKEY? We do not add ECS data to these queries. found it! (for queries send to ipv4 as well as ipv6 name servers) and, surprise: the data aren't

Re: using unbound-checkconf

W.C.A. Wijngaards via Unbound-users: Thanks for the bugreport, I've added coded for the dnstap and dnscrypt variables, for unbound-checkconf and unbound-control. The fix is not for 1.6.2 because it is in release, but for 1.6.3 (you can get it from the code repository). Thanks Wouter, I

Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

Ralph Dolmans via Unbound-users: Any chance that the nameservers Unbound is sending queries to are not on the ECS whitelist (send-client-subnet)? Unbound only sends ECS data to whitelisted addresses. Ralf. 2000::/3 should cover any IPv6 nameserver. just added "send-client-subnet: 0.0.0.0/0"

Re: Unbound 1.6.2rc1 pre-release (EDNS-Subnet)

W.C.A. Wijngaards via Unbound-users: Unbound 1.6.2rc1 maintainers prerelease is available: - Merge EDNS Client subnet implementation from feature branch into main branch, using new EDNS processing framework. Hello, I have added to unbound.conf: server: module-config: "subnetcache

Re: Unbound 1.6.2rc1 pre-release

Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users: > > > Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users: > >> Unbound 1.6.2rc1 maintainers prerelease is available: >> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and

Re: Unbound 1.6.2rc1 pre-release

Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.6.2rc1 maintainers prerelease is available: > - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and > DS records. NSEC3 is not disabled. I tried --disable-sha1 and found any org. zone no longer

using unbound-checkconf

Hello, unbound-checkconf /path/to/unbound.con -o [option] should echo the option value. That happen for all options valid in "server:" section as well as in "control:" section. But if I check for "dnstap-enable" (or "dnscrypt-enable") unbound-checkconf fail. ... fatal error: cannot print

Re: Unbound 1.6.2rc1 pre-release

Am 20.04.2017 um 13:31 schrieb Ralph Dolmans via Unbound-users: > We are planning to implement the key tag query part of RFC 8145 soon. > Will that be sufficient for you or do you also need the EDNS option? Hello Ralph, I read RFC again and am now aware of /two/ options to transport the key

Re: Unbound 1.6.2rc1 pre-release

Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.6.2rc1 maintainers prerelease is available: works noiseless here since a week. one question came up when I combine these two announcements: > - Add trustanchor.unbound CH TXT that gets a response with a number >

Re: configure --with-libevent not causing make unbound-event-install

Am 10.04.2017 um 09:07 schrieb W.C.A. Wijngaards via Unbound-users: > This install is triggered by the option --enable-event-api . Just > enabling --with-libevent does not trigger the install by itself. Oops, reading "configure --help" is an option. Uncommon but sometimes helpful :-) works

Re: configure --with-libevent not causing make unbound-event-install

Am 22.03.2017 um 15:24 schrieb Paul Wouters via Unbound-users: > > When building unbound with --with-libevent support, the make install > phase should also call make unbound-event-install or else unbound-event.h > does not get installed and the header file for using the unbound event >

Re: Unbound 1.6.1rc3 prerelease

Am 20.02.2017 um 10:12 schrieb Ralph Dolmans via Unbound-users: > Please note that this patch has some issues. We are working on a > complete implementation. I suspect the patch may have rough corners so it's good to know your working on a better implementation... Andreas

Re: Unbound 1.6.1rc3 prerelease

A. Schulze via Unbound-users: Am 14.02.2017 um 15:00 schrieb W.C.A. Wijngaards via Unbound-users: Unbound 1.6.1rc3 is available: compiled Debian Jessie+Stretch without warnings. "log-replies:yes" is cool :-) Now, some days later, I like to announce the rc3 not only compile but

Re: Unbound 1.6.1rc3 prerelease

Am 14.02.2017 um 15:00 schrieb W.C.A. Wijngaards via Unbound-users: > Unbound 1.6.1rc3 is available: compiled Debian Jessie+Stretch without warnings. "log-replies:yes" is cool :-) Andreas

Re: FW: Validation failure signature crypto failed

Am 24.01.2017 um 22:11 schrieb Jac Backus: > But for mail.crypsys.nl dnsviz.net shows only an A record, but no TXT record: http://dnsviz.net/d/mail.crypsys.nl/dnssec/ - click "update now" - click "Advanced options (forced ancestor analysis, recursive, explicit delegation, etc.)" - select

Re: FW: Validation failure signature crypto failed

Am 24.01.2017 um 16:56 schrieb W.C.A. Wijngaards via Unbound-users: > It means that the contents of the TXT record have been altered, and the > text in it does not match the RRSIG digital signature. If this was a > spurious technical failure, it could be due to upper/lowercase somehow >

Re: prevent unbound from attempting to contact root servers?

Sonic via Unbound-users: On Wed, Nov 16, 2016 at 3:21 PM, James Ralston via Unbound-users wrote: module-config: "iterator" On the systems where I'm using just 'module-config: "iterator"' there is no root.hints or named.cache file and no attempt is made by unbound

Re: no unbound-control without certificates?

Ralph Dolmans via Unbound-users: Are you using OpenSSL 1.1? Apparently it introduced security levels and by default doesn't allow aNULL ciphers. I just commited a version to our repository that sets the security level to 0 for the remote control ssl context when control-use-cert is no.

Re: no unbound-control without certificates?

Ralph Dolmans via Unbound-users: Hi Andreas, Are you using OpenSSL 1.1? Apparently it introduced security levels and by default doesn't allow aNULL ciphers. I just commited a version to our repository that sets the security level to 0 for the remote control ssl context when control-use-cert

no unbound-control without certificates?

Hello, after update from 1.5.9 to 1.5.10 "unbound-control reload" no longer work: the relevant unbound.conf section: remote-control: control-enable: yes control-interface: /path/to/unbound-control.socket control-use-cert: no # ls -la /path/to/unbound-control.socket

unbound / ldns + openssl-1.1.x

Hello, I spend some time to compile unbound-1.5.9 and ldns-1.6.17 with openssl-1.1.0b. The current results you find attached. WARNING: unbound and ldns compile - unbound with warnings. treat the patches as if it will break major things - no guarantee! don't use them as they are. please comment

Re: cannot resolv a.mx.bsws.de

W.C.A. Wijngaards via Unbound-users: The domain responds with a DNSSEC-signed NXDOMAIN for mx.bsws.de, and thus a.mx.bsws.de cannot exist. With qname-minimisation unbound then stops. Qname minimisation in unbound assumes that dnssec signed domains will do their NXDOMAIN correctly. (Note the

cannot resolv a.mx.bsws.de

Hello, messages to bsws.de and yos.net (same mx) fail because unbound could not resolve the names. http://dnsviz.net/d/yos.net/dnssec/ show some strange warnings. I found two ways general to solve the problem: - disable dnssec validation at all - disable qname-minimisation last resort:

Re: problems with stub-zones

Am 24.08.2016 um 19:05 schrieb Benny Pedersen via Unbound-users: On 2016-08-24 10:39, A. Schulze via Unbound-users wrote: forward-zone: name: "10-in-addr.arpa." forward-addr: ${nameserver1-ip} forward-addr: ${nameserver2-ip} add forward-first: yes does this fix i

Re: problems with stub-zones (solved)

A. Schulze via Unbound-users: stub-zone: name: "10.in-addr.arpa." stub-addr: ${nameserver1-ip} stub-addr: ${nameserver2-ip} Everything is fine as long as both nameservers are up. If one server fail (simple case: host up, nameserver down) client get "n

problems with stub-zones

Hello we still have an unsolved issue and cannot find a solution. It's still the same as https://www.unbound.net/pipermail/unbound-users/2015-October/004057.html ... test-setup: client -> router -> unbound -> router -> nameserver1 + nameserver2 client's /etc/resolv.conf has only one

Re: DNSSEC validaion fail for _25._tcp.eldinhadzic.com

A. Schulze: with unbound-1.5.9, we hit $subject. "qname-minimisation" was enabled. Everything is fine if I disable the feature. # posttls-finger eldinhadzic.com posttls-finger: using DANE RR: _25._tcp.eldinhadzic.com IN TLSA 2 1 2

Re: Unbound 1.5.9-1

Ralph Dolmans: Do you have QNAME minimisation enabled? yes This simple patch for 1.5.9 solves this problem. I confirm the patch solve the observed issue. Many thanks, you saved my day! Andreas

Re: Unbound 1.5.9

A. Schulze via Unbound-users: $host 2001:a60:f0b4:e503:2cdb:beff:feaa:880b unbound <= 1.5.8: success unbound = 1.5.9: SERVFAIL just noticed this happen only on a Debian Squeeze host On Debian Jessie I get the rDNS. Andreas

Re: Question on Unbound logging Best Practices

j dubbz via Unbound-users: - I suppose this might be determined by the log verbosity, so with verbosity: 1 or verbosity: 3, etc.. how does this come into play? we use do-daemonize: no logfile: "" log-queries: yes val-log-level: 2 that let unbound log the queries on stdout which is

Re: Unbound 1.5.9

A. Schulze via Unbound-users: - just upgraded and no visible problems so far Hello, there is a change in unbound-1.5.9 which make some IPv6 addresses un-resolvable. $host 2001:a60:f0b4:e503:2cdb:beff:feaa:880b unbound <= 1.5.8: success unbound = 1.5.9: SERVFAIL One reason

Re: Unbound 1.5.9

Am 13.06.2016 um 16:57 schrieb W.C.A. Wijngaards via Unbound-users: Unbound 1.5.9 is available: http://www.unbound.net/downloads/unbound-1.5.9.tar.gz - unbound.conf.5.in: the new text for freebind: "adress" should be "address" - just upgraded and no visible problems so far Thanks for

Re: Nailing up TCP connections

Noah Robin via Unbound-users: In my environment, we have a plant of internal recursive servers for our data center and separate plants of authoritative servers; something like 65-85% of the traffic outbound from our recursive plants (several hundred queries/sec per client machine) is destined

Re: Multiple unbound instances

Miguel Miranda via Unbound-users: Hello to all, im installing a load balancer and i want to run multiple unbound instances, im doing this because my it experts says it is not recommended to have a huge cache (i have 32GB available) it is better to have 2 or 3 GB cache in multiple unbound

unbound-control: general question

Hello, as far as I understand the unbound.conf(5) the communication between unbound-control and unbound itself always require the setup of an TLS connection. Is this also true when we setup control-interface as a unix socket. But we could set control-use-cert: no control-interface:

Re: Unbound 1.5.8rc1 prerelease

W.C.A. Wijngaards via Unbound-users: The 1.5.8rc1 release candidate is available http://www.unbound.net/downloads/unbound-1.5.8rc1.tar.gz works as expexted here (Debian Jessie) Thanks for unbound! Andreas

SOLVED: postbank.de / dslbank.de and DNSSEC and DANE

Daisuke HIGASHI: All postbank.de nameservers are sending malformed UDP reply with TC. But my Unbound (1.5.7) resolver retries query via TCP to get correct answer. Your firewall is dropping malformed DNS messages or TCP DNS queries? not that I know / no firewall in the way and tcp is

Re: Concerns about DNS & DHCP integration

Hernan Saltiel via Unbound-users: just to let those users connect to their PCs using DNS records, and not IP addresses, one possibility would be a dyndns service. Andreas

Re: howto resolve 10.in-addr.arpa

W.C.A. Wijngaards via Unbound-users: My guess is both do not work and the TTL is different. not impossible ... Normally, unbound should try both addresses, and I guess it is trying them but the other also does not work. unbound-control lookup can be used to get the info on those two IP

howto resolve 10.in-addr.arpa

Hello, we have the following configuration to point unbound-1.5.4 to our private nameservers: server: local-zone: "10.in-addr.arpa." transparent domain-insecure: "10.in-addr.arpa." stub-zone: name: "private.example.com." stub-addr: "10.0.1.53" stub-addr: "10.0.2.53" stub-zone:

rfc6761 compliance

Hello, the RFC 6761 give some advise how caching DNS servers SHOULD handle queries for reserved domains. Mostly it say "do not send queries to the root name servers" ... point 4 in any case ... http://tools.ietf.org/html/rfc6761#section-6.2 ( domain "test." )