Re: Perfomance issue between 1.5.8-1ubuntu1.1 (xenial) and 1.6.7-1ubuntu2.1 (bionic)

Ralf Hildebrandt via Unbound-users wrote: > Before the update (runnung unbound 1.5.8-1ubuntu1.1) we were seeing query > times around 20ms: After the upgrade (1.6.7-1ubuntu2.1) those rose to > 40ms. > > See these graphs: > https://www.arschkrebs.de/bugs/dnssvc30d.png >

Re: unbound doesn't remove pidfile

Shawn Zhou via Unbound-users wrote: > I am running unbound 1.5.8 on ubuntu xenial. unbound doesn't run remove the > pid file after it's stopped. I believe the unbound packaging on Ubuntu xenial is old enough that it still uses the sysv generator to create the service unit. You will probably want

Re: NOTIMP for unrecognized qtypes

Petr Špaček via Unbound-users wrote: > Well, the spec is from 1987. Even the meaning of MUST/SHOULD etc. was > not standardized yet back then ... Even worse, this language appears to have been copied verbatim from RFC 883, which is even older (1983) :-) -- Robert Edmonds edmo...@debian.org

Re: NOTIMP for unrecognized qtypes

Jacob Hoffman-Andrews via Unbound-users wrote: > I'm trying to write some documentation for users of Let's Encrypt about > CAA. I believe it's the case that standards-conformant authoritative > resolvers should return NOERROR for qtypes they don't recognize, rather > than NOTIMP. Is this correct?

Re: Trust rules and DNSSEC signatures

Florian Weimer via Unbound-users wrote: > Does Unbound use otherwise non-trustworthy data simply because it has > valid DNSSEC signatures? > > I'm asking because of this recent dnsop thread: > > Hi, Florian: It's been

Re: trust-anchor-file, auto-trust-anchor-file, trust-anchor

Edward Lewis via Unbound-users wrote: > Is the use of trust-anchor-file for the public root zone KSK popular? Do > folks use it much at all (regardless of zone)? The same for trust-anchor > statements, which appear to be in-line of the configuration file. Hi, Ed: We ship the Debian package

Re: unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

Paul Wouters via Unbound-users wrote: > On Fri, 3 Jun 2016, Daisuke HIGASHI wrote: > > > Subject: Re: unbound listening sporadically on 0.0.0.0 high ports when > > configured for 127.0.0.1 ? > > > My guess is: UDP sockets for outgoing query > > from Unbound to authoritative servers. > > >

Re: L-Root IPv6 address renumbering

Dave Warren via Unbound-users wrote: > On 2016-03-16 10:46, Robert Edmonds via Unbound-users wrote: > >Not quite, I want to avoid two things: > > > >1) The sysadmin should never have to update the root hints by hand. > >"apt update && apt upgrade"

Re: L-Root IPv6 address renumbering

W.C.A. Wijngaards via Unbound-users wrote: > But I think just setting the configuration option for root-hints in > unbound.conf is probably just what you want? Do you still need to be > able to set a default value for the root-hints file location, or is it > just as good to set it in unbound.conf

Re: L-Root IPv6 address renumbering

W.C.A. Wijngaards via Unbound-users wrote: > I have updated the default root hints that ship inside the source code > of Unbound (in the code repository, for future releases). Thank you for > the notification. > > Users can upgrade the root hints right now by editing the named.root (or >

Re: python unbound issues

Spike Morelli (DRBA) via Unbound-users wrote: > 1) unbound-checkconfig complains that the python module isn't there: > > [1456179172] unbound-checkconf[5330:0] fatal error: module conf 'python > iterator' is not known to work > > looking at the source code this seems to be due to

Re: [patch] insecure-lan-zones

Dag-Erling Smørgrav via Unbound-users wrote: > I hope I got the Makefile.in part right - it's pretty gross. Why don't > you use automake? +1 to Automake :-) Hacking on Unbound's Makefile.in is not fun. -- Robert Edmonds edmo...@debian.org

Unbound and intermittent network connectivity?

Hi, I have a few recent bug reports from Debian users that Unbound stops resolving after brief interruptions in network connectivity. Especially from users on laptops, which are typically not as well-connected as servers or workstations with wired Ethernet connections.

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Tomas Hozza via Unbound-users wrote: > On 04.11.2015 17:35, Phil Mayers wrote: > > The code tries to open an IPv6 socket, the kernel tries to load the module, > > SELinux denies and logs this. Each of these items is by design. Which are > > you suggesting should change? > > I think it makes

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Hi, Phil Mayers via Unbound-users wrote: > On 04/11/2015 15:49, Tomas Hozza wrote: > > >If you have some strong technical argument for this behavior I would > >be more than glad to hear it. The reason is that similar people will > >fight hard against having Unbound as the default DNS resolver in

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Phil Mayers via Unbound-users wrote: > On 04/11/2015 17:21, Robert Edmonds wrote: > >Is the problem perhaps that "ipv6.disable=1" on the kernel command line > >should be accompanied by "alias net-pf-10 off" in the modprobe > >configuration in order to prevent useless autoloading attempts? > > Is

Re: unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Paul Wouters via Unbound-users wrote: > FYI: > > rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in > /etc/sysctl.conf > > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Paul Hi, Paul: I'm a bit confused. unbound-anchor is an ordinary program that uses the

Re: unbound and systemd

Sami Kerola via Unbound-users wrote: > The stuff I did to avoid pkg-config is not nice. Fixing that would > require dependency that not all projects agree. What is your view > to add pkg-config dep? Hi, Using pkg-config is the documented way to detect the correct library to link against for

Re: inconsistent forward-zone behavior between config files, unbound-control

A. Schulze via Unbound-users wrote: > Am 22.09.2015 um 19:02 schrieb Mike Brown via Unbound-users: > >* by default, queries go to my ISP's resolvers (Comcast: 75.75.75.75 & > >75.75.76.76) > why would you do that? Comcast's 75.75.75.75 and 75.75.76.76 nameservers are anycasted. 75.75.75.75 in

Re: rfc6761 compliance

W.C.A. Wijngaards via Unbound-users wrote: > It is not a particularly heavy root server load to mitigate, less code > is better and easier, the unblock-lan-zones statement is a frequently > asked question from our users. That said, we could add new code for > this (and .onion?). Hi, Wouter: I

Re: Query logging performance

W.C.A. Wijngaards via Unbound-users wrote: On 03/08/15 19:50, Darren Spruell via Unbound-users wrote: Unbound's documentation mentions that query logging can have very adverse performance on server operation. I was curious if the project feels this has been optimized to the degree possible

Re: Using unbound-anchor for non-default trust anchor

Edward Lewis via Unbound-users wrote: unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org. I am trying to test RFC 5011 capabilities by following these websites: http://keyroll.systems and http://icksk.dnssek.info/fauxroot.html Goal is to run unbound-anchor as a