Re: can't bind socket: Permission denied for IPv6 (port bellow 1024)

Hi, On 03/07/18 13:39, nusenu via Unbound-users wrote: >> I can see the similar issue with similar config (which is there btw >> because of selinux preventing use of non-dynamic ports. >> >> Jul 3 12:56:28 resolver unbound: [18382:0] error: can't bind socket: >> Permission denied for :: >> Jul

Re: can't bind socket: Permission denied for IPv6 (port bellow 1024)

Hi Nusenu, On 02/07/18 20:58, nusenu via Unbound-users wrote: > > > W.C.A. Wijngaards via Unbound-users: >>> Will this be included in future unbound releases? >> >> Yes, sure. I'll keep it in. Perhaps something similar is happening and >> is what I need t

Re: can't bind socket: Permission denied for IPv6

Hi Nusenu, On 02/07/18 10:42, nusenu via Unbound-users wrote: > > > W.C.A. Wijngaards via Unbound-users: >> I think it is harmless, but the permission denied shouldn't really be >> happening? In the code repository is a patch that prints out the port >> number as we

Re: can't bind socket: Permission denied for IPv6

Hi Nusenu, On 30/06/18 18:07, nusenu via Unbound-users wrote: > >>> I've got the following intermittent socket bind errors in my log files: >>> >>> error: can't bind socket: Permission denied for >> >> Does the patch fix the problem for you? > > I'm running 1.7.3 with this patch applied and

Re: libsystemd not found an error

Hi Yoshi Horigome, On 30/06/18 04:02, Yoshi Horigome via Unbound-users wrote: > Hello, > > Attempting to configure r4762 is now "libsystemd not found". > However, we have confirmed that libsystemd related packages are > installed as follows. It needs ht libsystemd-dev package with the header

Re: auth-zones and DNS NOTIFY

Hi Harry, On 24/06/18 20:20, Harry Schmalzbauer wrote: > Am 23.06.2018 um 20:26 schrieb Harry Schmalzbauer via Unbound-users: >> Am 17.04.2018 um 15:26 schrieb W.C.A. Wijngaards via Unbound-users: >>> Hi Harry, >>> >>> Yes, DNS NOTIFY is implemented in the cur

Re: can't bind socket: Permission denied for IPv6

Hi nusenu, On 24/06/18 13:12, nusenu via Unbound-users wrote: > Hi, > > I've got the following intermittent socket bind errors in my log files: > > error: can't bind socket: Permission denied for Does the patch fix the problem for you? If so, the flowinfo or scopeid information is changed

Unbound 1.7.3rc1 pre-release

Hi, Unbound 1.7.3rc1 pre-release is available. https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.3rc1.tar.gz sha256 78913d28ff7dfa5fe8a69f235956bfdcb4cc4bdaeb45f03ed6eba5ebddfad5d0 pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.3rc1.tar.gz.asc This release fixes a bug in qname

Unbound 1.7.2 released

Hi, Unbound 1.7.2 is available: https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2.tar.gz sha256 a85fc7bb34711992cf128b2012638ebb8dc1fe15818baa381f6489240845eaa0 pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2.tar.gz.asc This release fixes bugs in DNS-over-TLS for windows, and

Re: tls-cert-bundle file not provided in OpenWRT

Hi, On 08/06/18 09:39, ѽ҉ᶬḳ℠ via Unbound-users wrote: > For some reason the OpenWRT repo does not seem to provide a single > tls-cert-bundle file but rather rather a collection of single root > certificates from different providers located in /etc/ssl/certs. > > Does Unbound require a single

Re: libunbound: setting a deadline/timeout for ub_resolve

Hi Alex, On 08/06/18 01:57, Alex Zorin via Unbound-users wrote: > Hello, > > I'm using libunbound to perform iterative DNS lookups for a diagnostic > service: github.com/letsdebug/letsdebug . > > One of the problems I have is when one or more of a domain's authoritative > nameservers are

Re: Private zone and access control

Hi, On 03/06/18 19:17, Ict Security via Unbound-users wrote: > Hi all, > > i have defined access control for a specific class of IPs and > everything is working fine, both for recursive and private class > requests. > > Now, i would like to define a static zone and grant everyone (public) > to

Re: Unbound 1.7.2rc1 pre-release

Hi Harry, On 05/06/18 09:23, Harry Schmalzbauer wrote: > Am 04.06.2018 um 14:07 schrieb W.C.A. Wijngaards via Unbound-users: >> Hi, >> >> Unbound 1.7.2rc1 pre-release is available: >> https://www.nlnetlabs.nl/downloads/unbound/unboun

Unbound 1.7.2rc1 pre-release

Hi, Unbound 1.7.2rc1 pre-release is available: https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2rc1.tar.gz sha256 561c33f80b757820e3bd632cd339673da84a71dbb6328d124324db2c63a7f833 pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2rc1.tar.gz.asc This release fixes bugs in

Re: auth-zones and DNS NOTIFY

Hi, On 04/06/18 11:29, Harry Schmalzbauer wrote: > Am 04.06.2018 um 11:01 schrieb W.C.A. Wijngaards: >> Hi Harry, >> >> On 02/06/18 19:24, Harry Schmalzbauer wrote: >>> Am 02.06.2018 um 16:44 schrieb Harry Schmalzbauer via Unbound-users: >>>> Am 17.04.2

Re: Multiple stub-addr:|master: [Was: Re: Multiple forward-addr: _ order of evaluation?]

Hi Harry, On 01/06/18 19:22, Harry Schmalzbauer via Unbound-users wrote: > Am 09.01.2018 um 10:53 schrieb Ralph Dolmans via Unbound-users: >> Hi Harry, >> >> Unbound selects forward addresses in the same way as it selects >> addresses for normal delegations. That is a random selection over the >>

Re: auth-zones and DNS NOTIFY

Hi Harry, On 02/06/18 19:24, Harry Schmalzbauer wrote: > Am 02.06.2018 um 16:44 schrieb Harry Schmalzbauer via Unbound-users: >> Am 17.04.2018 um 15:26 schrieb W.C.A. Wijngaards via Unbound-users: >>> Hi Harry, >>> >>> Yes, DNS NOTIFY is implemented in the cur

Re: duplicate local-zone

Hi, On 01/06/18 21:48, Fongaboo via Unbound-users wrote: > > I've compiled a blacklist of adtracking sites that I'm trying to block > by redirecting to 127.0.0.1. Some example entries: > > local-zone: "0-act.channel.facebook.com" redirect > local-data: "0-act.channel.facebook.com A 127.0.0.1" >

Re: Jostle logic seems to randomly stop working

Hi Dmitri, There is a fix slated for the next release, which is as a patch below. I think this will solve those non-jostle list too full errors. It decrements the num_reply_states counter and thus the incoming queries won't get dropped any more because that counter became too big. Best regards,

Re: Unbound 1.7.1 failing on some kvm servers

Hi Andreas, James, On 29/05/18 20:46, A. Schulze via Unbound-users wrote: > > > Am 29.05.2018 um 09:07 schrieb A. Schulze via Unbound-users: > >> I'll try to recompile the Debian package to catch configure output ... >> @James: which Debian Version? > > OK, here are the logs and patched

Re: Unbound 1.7.1 failing on some kvm servers

Hi Andreas, On 29/05/18 09:07, A. Schulze via Unbound-users wrote: > > > Am 28.05.2018 um 23:01 schrieb James Cloos via Unbound-users: >> >> I don't have the configure output; this is debian's compile > I'll try to recompile the Debian package to catch configure output ... > @James: which

Re: Unbound 1.7.1 failing on some kvm servers

Hi James, On 28/05/18 23:01, James Cloos wrote: >> "WW" == W C A Wijngaards via Unbound-users >> writes: > >>> Unbound *always* should fall back to urandom(4) when getentropy(3) >>> results in ENOSYS, even when compiled against a kernel which advertizes >>> support for getrandom(2). >

Re: Unbound 1.7.1 failing on some kvm servers

Hi James, On 25/05/18 19:06, James Cloos via Unbound-users wrote: >> James Cloos via Unbound-users writes: > >> I have a number of kvm instances running debian where unbound 1.7.1 >> fails. > > An LD_PRELOAD lib which implments getentropy(3) via read(3)ing >

Re: DNS over TLS not working

es and then when server selection happens, it should omit the >> failing servers from the server selection. >> >> This may not actually be the bug you originally tried to report, but it >> should be an improvement. >> >> Best regards, Wouter >> >

Re: DNS over TLS not working

be the bug you originally tried to report, but it should be an improvement. Best regards, Wouter On 25/05/18 08:05, W.C.A. Wijngaards via Unbound-users wrote: > Hi Yuri, > > From the logs, it looks like the connections to quad9 and cloudflare all > end, very quickly, with a tcperror. Some

Re: DNS over TLS not working

gt;> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug: >>>>> bio_cb 1, before write >>>>> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug: >>>>> event_del 03E97210 added=1 fd=504 tv=-1  EV_WRITE >

Re: DNS over TLS not working

e[18264:1] debug: >>> event_del 03E97210 added=1 fd=504 tv=-1  EV_WRITE >>> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug: >>> close fd 504 >>> 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug: >>> outne

Re: DNS over TLS not working

ound.exe[18264:1] debug: > outnettcp got tcp error -1 > 24.05.2018 17:01:35 C:\Program Files\Unbound\unbound.exe[18264:1] debug: > tcp error for address ip4 1.1.1.1 port 853 (len 16) > > and no resolve. > > > > 24.05.2018 15:57, W.C.A. Wijngaards пишет: >> Hi Yur

Re: DNS over TLS not working

Hi Yuri, On 09/05/18 16:51, Yuri wrote: > > > 09.05.2018 11:51, W.C.A. Wijngaards via Unbound-users пишет: >> Hi, >> >> No idea what is going on anymore, here is two new sets of binaries. >> >> These are made with openssl 1.0.2j. The code in unbound tha

Re: Some sites not resolving (DNSSEC?)

Hi Hank, On 23/05/18 15:23, Hank Barta via Unbound-users wrote: > Hi all, > I use pfsense for my firewall and have selected the unbound resolver for > DNS on my home LAN. I have configured this to use Cloudflare DNS with > DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support" >

Re: Jostle logic seems to randomly stop working

Hi Dmitry, On 19/05/18 03:59, Dmitri Kourennyi via Unbound-users wrote: > More investigation results: > > I think the issue appears when unbound is trying to probe the master > servers for > the auth_zone section. The logs show unbound doing lookups on all the > auth_zone > domain names in my

Re: Unbound on FreeBSD 11, uses just one of 8 threads?

Hi Viktor, On 23/05/18 01:45, Viktor Dukhovni via Unbound-users wrote: > > I have 8 threads configured, anyone know why unbound would > do all the work in just one thread? Previously people that asked this, had a usage that one thread could satisfy. Perhaps the other cpu cores are running some

Re: DNS over TLS not working

thout first negotiating TLS. >> >> It correctly reaches out to 1.1.1.1:853, but it doesn't negotiate a >> TLS connection.  Is there anything I could do to help fix this? >> >> -Ray >> >> On 5/7/2018 8:25 AM, W.C.A. Wijngaards via Unbound-users wrote: >>> Hi Yu

Re: DNS over TLS not working

wrote: > Is it possible that it is OpenSSL-related issue? Does OpenSSL library in > windows unbound statically linked? > > 08.05.2018 18:12, W.C.A. Wijngaards via Unbound-users пишет: >> Hi Yuri, >> >> On 08/05/18 14:07, Yuri via Unbound-users wrote: >>> N

Re: DNS over TLS not working

Hi Yuri, On 08/05/18 14:07, Yuri via Unbound-users wrote: > Nop, > > I've disabled all firewalls with same results. > > And when I've tried to open TCP socket on 1.1.1.1 port 853 with telnet - > it's opens. > Yes, Unbound logs also shows that the connection opens. But then nothing but

Re: forward zones with broken forwarders

Hi Florian, On 08/05/18 10:44, Florian Riehm via Unbound-users wrote: > Hi, > > Often I see unbound configurations with multiple forwarders for zones > like this: > forward-zone: >     name: "." >     forward-addr: 1.1.1.1 >     forward-addr: 1.1.1.2 >     forward-addr: 1.1.1.3 >    

Re: DNS over TLS not working

Hi Yuri, On 07/05/18 16:16, Yuri via Unbound-users wrote: > Just checked. Unfortunately, patch does not fix issue. > > Same sympthom. Timeout, then no resolve. From your previous logs, what unbound does is connect, then write. Then it gets nothing to read. Until the timeout happens. The

Re: DNS over TLS not working

Hi Yuri, On 05/05/18 01:01, Yuri via Unbound-users wrote: > I can confirm this issue. > > 1.7.1 64bit does not work with DoT on Win10. > > Verbosity 4 log and service config attached. > > See no anomalies in log, however no resolve. > > SImplified config (OpenDNS, no DNSSEC etc.) - works. >

Re: DNS over TLS not working

Hi Raymond, On 03/05/18 22:43, Raymond Bannan via Unbound-users wrote: > I've spent several hours trying various permutations of the following > config, but no matter what I do I can't get unbound to forward a DNS > request over TLS: This config looks correct. It should be connecting with TLS.

Unbound 1.7.1 release

Hi, Unbound 1.7.1 is available for download: https://www.unbound.net/downloads/unbound-1.7.1.tar.gz sha256 56e085ef582c5372a20207de179d0edb4e541e59f87be7d4ee1d00d12008628d pgp https://www.unbound.net/downloads/unbound-1.7.1.tar.gz.asc Note: The NLnet Labs website has been updated, and now

Re: Unbound 1.7.1rc1 pre-release

Hi Yuri, On 26/04/18 21:34, Yuri via Unbound-users wrote: > 1.7.1rc1 runs well with DNS-over-TLS. > > Is it will be in 1.7.1 release? > Yes, those DNS-over-TLS features are part of 1.7.1. Best regards, Wouter signature.asc Description: OpenPGP digital signature

Re: Unbound 1.7.1rc1 pre-release

Hi Andreas, On 26/04/18 17:32, A. Schulze via Unbound-users wrote: > > > Am 26.04.2018 um 10:09 schrieb W.C.A. Wijngaards via Unbound-users: >> Hi, >> >> Unbound 1.7.1rc1 pre-release is available: >> https://unbound.net/downloads/

Re: Unbound 1.7.1rc1 pre-release

of low-rtt-pct is technically the wrong term and we intend to replace it with "promille" (likely in a future release, together with user experience feedback changes). Best regards, Wouter On 26/04/18 10:09, W.C.A. Wijngaards via Unbound-users wrote: > Hi, > > Unbound 1.7.

Unbound 1.7.1rc1 pre-release

Hi, Unbound 1.7.1rc1 pre-release is available: https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz sha256 46f48ef7c1dde9363d647edbb0f2bdee48be3ef0f53dbc1169f1076aae6ff4e6 pgp https://unbound.net/downloads/unbound-1.7.1rc1.tar.gz.asc This is the maintainers pre-release. This release has root

Re: Domain not being resolved?

Hi Søren, On 18/04/18 11:54, Søren Peter Skou via Unbound-users wrote: > Hiya all, > >   > > This perplexes me a bit. My unbound seems to have taken a dislike > towards a couple of domains. Specificially frederiksberg.dk and fkb.dk > and the tld .ke If I try doing a dig ns frederiksberg.dk  and

Re: auth-zones and DNS NOTIFY

Hi Harry, Yes, DNS NOTIFY is implemented in the current code repo version. You can specify additional sources with allow-notify. Best regards, Wouter On 25/03/18 16:25, Harry Schmalzbauer via Unbound-users wrote: > Hello, > > thanks for the auth-zone feature in 1.7! > > Unfortunately, for

Re: DGA Attack mitigation

Hi Mahdi, This may not be what you are looking for but the just released aggressive-nsec: yes option uses DNSSEC aggressive NSEC processing to cache more NXDOMAINs per upstream lookup, and more quickly respond to NXDOMAINs, resulting in less upstream traffic and less load on the server for

Re: serve-expired seems to break flush_zone

Hi Marc, On 06/04/18 17:05, Marc Branchaud wrote: > On 2018-04-06 02:47 AM, W.C.A. Wijngaards via Unbound-users wrote: >> Hi Marc, >> >> On 04/04/18 20:29, Marc Branchaud via Unbound-users wrote: >>> Hi all, >>> >>> I have a simple for

Re: serve-expired seems to break flush_zone

Hi Marc, On 04/04/18 20:29, Marc Branchaud via Unbound-users wrote: > Hi all, > > I have a simple forward-everything setup with serve-expired enabled: > > server: >     serve-expired: yes > forward-zone: >     name: . >     forward-addr: X.X.X.X > > If I use "flush_zone ."

Re: auth-zone and forward-zone on unbound-1.7.0

Hi Guillame-Jean, On 04/04/18 11:41, Guillaume-Jean Herbiet via Unbound-users wrote: > Hi, > > While doing some experiments, I am facing an issue while mixing > auth-zone and forward-zone. This bug was just fixed after a redhat bugreport. The fix is in the code repository, this is the patch

Re: specify multiple TLS-Ports?

Hi Andreas, Guillaume-Jean, Sounds useful, so I've added the option to list a number of additional tls ports to provide tls service on. With additional-tls-port: 443 (perhaps more with more port numbers to provide tls service on) in unbound.conf. For other, you also need to configure an

Unbound 1.7.0 release

Hoi, Unbound 1.7.0 is available: https://www.unbound.net/downloads/unbound-1.7.0.tar.gz sha256 94dd9071fb13d8ccd122a3ac67c4524a3324d0e771fc7a8a7c49af8abfb926a2 pgp https://www.unbound.net/downloads/unbound-1.7.0.tar.gz.asc This release adds authority zones, for a local copy of the root zone, and

Re: Unbound 1.7.0rc3 pre-release

Hi Andreas, On 12/03/18 17:35, A. Schulze via Unbound-users wrote: > > > Am 12.03.2018 um 10:45 schrieb W.C.A. Wijngaards via Unbound-users: >> Changes: >> - Added documentation for aggressive-nsec: yes. > > I also suggest to say "Default is no" instead

Unbound 1.7.0rc3 pre-release

Hi, Unbound 1.7.0rc3 maintainers prerelease is available: https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz sha256 209e94c1da10c839f52e04b79ab4ea8b6fc3d88bbe544d9053b96d330538170c pgp https://www.unbound.net/downloads/unbound-1.7.0rc3.tar.gz.asc It was updated from rc3, because some

Re: Unbound 1.7.0rc2 pre-release

Hi, On 11/03/18 22:33, Kazunori Fujiwara via Unbound-users wrote: >> From: Ralph Dolmans via Unbound-users >>> - Aggressive use of NSEC is not so transparent to me. >>> unsure, what I really may expect here. Under which conditions is this >>> active? >> >> When this

Unbound 1.7.0rc2 pre-release

Hi, Unbound 1.7.0rc2 maintainers prerelease is available: https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz sha256 ed5e4529af6b1e70abaa835ec667db2a8b47ae479563b5f3b25b7a034eed pgp https://www.unbound.net/downloads/unbound-1.7.0rc2.tar.gz.asc It was updated from rc1 because the patch

Re: Unbound 1.7.0rc1 pre-release

, not -p0. Also, I don't agree that the spelling is improved by lintian. But to remove the warning, the patch is applied. Best regards, Wouter On 06/03/18 23:32, A. Schulze via Unbound-users wrote: > > > Am 06.03.2018 um 11:02 schrieb W.C.A. Wijngaards via Unbound-users: >> U

Re: unbound doesn't remove pidfile

Hi Shawn, Unbound tries to remove the pidfile on exit. It also tries to chown it, if the username is set in unbound.conf. Also if the pidfile is not located inside the chroot, then unbound cannot remove the pidfile itself. Best regards, Wouter On 07/03/18 03:03, Shawn Zhou via Unbound-users

Re: unbound binaries execution issue

Hi, Yes the key files are platform independent. Best regards, Wouter On 06/03/18 06:54, SIMON BABY via Unbound-users wrote: > Hello Paul, > > Thank for looking into my issue. Yes, Am  cross compiling for the > target. Below is my configuration logs.  I am implementing the client > resolver

Re: stub-zone not returning A record for cname

Hi Joe, On 05/02/18 14:05, Joe via Unbound-users wrote: > Hi list >   > I have a stub-zone entry like the following: > stub-zone: >     name: "office.intra" >     stub-addr: 10.0.0.1 >     stub-addr: 10.0.0.2 >   > This works great except for CNAME entries, where I get the CNAME but

Re: Load a certificate without restart

Hi Sebastian, On 04/01/18 13:37, Sebastian Schmidt via Unbound-users wrote: > Hello,  > > I'm wondering if unbound has a method where a new certificate can be loaded > without restarting unbound. This would be helpful when loading for > short-lived (1 day) DNSCrypt certificates and potentially

Re: unbound and meson build

Hi Sami, On 07/01/18 21:08, Sami Kerola via Unbound-users wrote: > Hello Wouter, and others, > > Would Unbound project be interested moving away from hand-written > Makefile.am and other autotool stuff to meson? Here is a preview > (hopefully to future) how things could look with meson: Thanks

Re: wildcard dnssec test fails

Hi Viktor, On 20/12/17 09:15, Viktor Dukhovni via Unbound-users wrote: > On Tue, Dec 19, 2017 at 06:08:50AM +, Viktor Dukhovni wrote: > >> The original coded uses non-portable undefined overflow behaviour >> for signed integer arithmetic. The compiler is free to replace >> "incep - expi >

Re: wildcard dnssec test fails

Hi, Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the code change. So that won't work as a workaround. Best regards, Wouter On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote: > Hi Sebastian > > On 15/12/17 10:19, Sebastian Schmidt via Unbound-us

Re: wildcard dnssec test fails

Hi Sebastian On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote: > On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users > (unbound-users@unbound.net <mailto:unbound-users@unbound.net>) wrote: >> When I run unbound-host, I get no errors, 

Re: wildcard dnssec test fails

Hi Sebastian, Viktor, On 15/12/17 01:26, Viktor Dukhovni via Unbound-users wrote: > On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote: > >> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill >> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this >>

Re: Compiling Unbound for algorithm 15 on Ubuntu 16.04

Hi Marco, The right way is to use openssl 1.1.1, but it is maybe not available. With libnettle, unbound has to compile --with-libunbound-only for it to work. But then you don't have the daemon. So that was not what you wanted, instead you wanted a very new openssl. You can compile

Re: Undefined symbols compiling on OmniOS

Hi Nadine, The respip.lo is not getting included in the link line. Does this diff solve the problem? It omits += from the Makefile. If that does not work, perhaps use gmake? Index: Makefile.in === --- Makefile.in (revision 4413)

Re: Configuration issue

los.kanare...@artsalliancemedia.com> >> >> www.artsalliancemedia.com <http://www.artsalliancemedia.com> > <http://www.artsalliancemedia.com/> >> >>   >> >> Landmark House >> Hammersmith Bridge Road >> London W6 9EJ__ >>

Re: Configuration issue

Hi, The order does not matter for local-zone, local-data, forward and stub clauses. Unbound picks the closest one. First the local-zone and local-data statements are processed. Then the cache of forward and stub data. Then the lookup vi forward and stub data. You could create a local-zone:

Re: Negative cache being ignored.

Hi Dylan, Negative ttls are for negative answers, like NXDOMAIN and NOERROR/NODATA answers. This is where that configuration option applies. The max neg ttl setting reduces TTL values from the authority. It does not increase them. But this response is not an NXDOMAIN or NOERROR/NODATA, so

Unbound 1.6.7 release

Hi, This is the unbound 1.6.7 release. https://www.unbound.net/downloads/unbound-1.6.7.tar.gz sha256 4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f pgp https://www.unbound.net/downloads/unbound-1.6.7.tar.gz.asc This release sets the default for trust anchor signaling to yes.

Unbound 1.6.7rc1 pre-release

Hi, This is the unbound 1.6.7rc1 prerelease. https://www.unbound.net/downloads/unbound-1.6.7rc1.tar.gz sha256 a92b673d66b57f3fd3d2e21da2174ec21ab76500ba2e07545287e206c52504a1 pgp https://www.unbound.net/downloads/unbound-1.6.7rc1.tar.gz.asc This release sets the default for trust anchor

Re: Relative path for include and *-file

Hi Newell, On windows, the directory is the directory of the exe file. Set that as the working directory before starting unbound. So, set the paths relative to the location of unbound.exe. Best regards, Wouter On 26/09/17 14:47, Newell Zhu via Unbound-users wrote: > Hi > > I face a problem

Re: unbound-host.exe not accept -C option now

Hi Newell, I believe that windows, just like some BSDs, require the commandline optione before the commandline argument(s). Put the -C option after the -d option, and put the www-name at the end of the line. Best regards, Wouter On 21/09/17 15:21, Newell Zhu via Unbound-users wrote: > Hey, >

Re: local-zones

Hi Ernie, You did add them in local-zone type 'static', right? Some of the other types can ask the internet for data. If that is not it, I don't know what's going on. Best regards, Wouter On 18/09/17 15:02, Ernie Luzar via Unbound-users wrote: > I have noticed something that doesn't seem

Unbound 1.6.6 release

Hi, Unbound 1.6.6 is available: https://unbound.net/downloads/unbound-1.6.6.tar.gz sha256 972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390 pgp https://unbound.net/downloads/unbound-1.6.6.tar.gz.asc This version blocks .test and .invalid by default. It has a -p option to

Re: Unbound swapping

Hi Eduardo, I have no real good idea. But looking at your numbers, I see that you are running a network heavy application, unbound, and it uses about 10G on 12G memory. The buff/cache is 2G. Adds up to 12G. And it is swapping. Sounds reasonable, it is maxed out on memory, this is where swap

Unbound 1.6.6rc2 prerelease

Hi, Unbound 1.6.6rc2 prerelease is available: https://unbound.net/downloads/unbound-1.6.6rc2.tar.gz sha256 e723acf16cd8c80eea898873d98d9ba696516b1dd9571181b6b17aa0e29d91f9 pgp https://unbound.net/downloads/unbound-1.6.6rc2.tar.gz.asc The RC2 is caused by configure script changes because of

Unbound 1.6.6rc1 prerelease

Hi, Unbound 1.6.6rc1 prerelease is available: https://unbound.net/downloads/unbound-1.6.6rc1.tar.gz sha256 49a018681c44d92c9e90af905b5c699871c3de487eff38d1303229ea69bed73a pgp https://unbound.net/downloads/unbound-1.6.6rc1.tar.gz.asc This version is a prerelease for packagers and maintainers.

Re: edns-buffer-size

Hi T.Suzuki, Yes, 1472 is a more precise value to recommend. Changed the example config and also the man page. Best regards, Wouter On 01/09/17 16:46, T.Suzuki via Unbound-users wrote: > unbound.conf > # EDNS reassembly buffer to advertise to UDP peers (the actual buffer > # is set with

Re: refuse ANY queries

. Does not search exhaustively, but MX,A,,SOA,NS also CNAME. Best regards, Wouter On 25/08/17 12:57, Petr Špaček via Unbound-users wrote: > On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote: >> Hi Petr, >> >> Unbound already implements that draft. Method 4.1,

Re: refuse ANY queries

Hi Petr, Unbound already implements that draft. Method 4.1, select one (actually a couple) RRsets. It picks them from cache if they are available there (eg. A record or SOA record) and if no records are in cache, it'll make a query. There may be tricks with local-zones or local-data or python

Re: Unbound 1.6.4/1.6.5: Unexpected AD=0 for signed NODATA at zone apex?

Hi Viktor, This is what verbosity 4 tells me: [1503588441] libunbound[20640:0] info: verify rrset pat.dedyn.io. SOA IN [1503588441] libunbound[20640:0] debug: verify sig 16713 8 [1503588441] libunbound[20640:0] debug: verify result: sec_status_secure [1503588441] libunbound[20640:0] info: verify

Unbound 1.6.5 released

Hi, Unbound 1.6.5 is available: https://www.unbound.net/downloads/unbound-1.6.5.tar.gz sha256 e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e pgp https://www.unbound.net/downloads/unbound-1.6.5.tar.gz.asc This release fixes RFC5011 trust anchor tracking for users that install

Re: RFC5011 : 30days add-holddown timer

Hi Daisuke HIGASHI, Yes that is a bug, it should not be in ADDPEND but in VALID. This was caused by unbound checking the signature as well as the DS hash for the installed keys. I have patched this and a new version is released (1.6.5) for this fix. Best regards, Wouter On 16/08/17 18:46,

Re: question about default cache settings?

Hi Bob, There are default limits for a couple Mb of cache memory, tops. That stops the cache from growing. When full, it stores a number of popular items that fit. Best regards, Wouter On 07/08/17 18:31, Bob Joe via Unbound-users wrote: > I am running unbound on my windows as my name server,

Re: priming and dnskey

via Unbound-users wrote: > On Thu, 3 Aug 2017 09:08:52 +0200 > "W.C.A. Wijngaards via Unbound-users" <unbound-users@unbound.net> wrote: > >> Hi T.Suzuki, >> >> Do you have prefetch-key enabled still? It causes the DNSKEY to be >> prefetched.

Re: priming and dnskey

Hi T.Suzuki, Do you have prefetch-key enabled still? It causes the DNSKEY to be prefetched. If so, that would just be extra data in the cache, and not hamper KSK rollovers. Otherwise, unbound shouldn't be fetching the DNSKEY itself then, but downstream clients could still be asking for it.

Re: Oddity with nsd-based in-addr.arpa zone

Hi Dave, What must be happening is that your authority server for the combine 192.168 stub clause, does not actually host a 192.168 reverse zone. And that causes unbound to detect that the delegation is lame. Lameness check only performed for authoritative servers (i.e. stub zones). And now

Re: private ipv6 address space

Hi, Also, local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault has to be d.f.ip6.arpa nodefault, to disable the default zone that is upwards from your private zone. Best regards, Wouter On 01/08/17 18:29, Eric Luehrsen via Unbound-users wrote: > dnsmasq is a forwarding resolver and you

Re: error: outgoing tcp: bind: Address already in use

Hi Nick, On 21/07/17 05:29, Nick Urbanik via Unbound-users wrote: > Dear Folks, > > On 06/07/17 18:13 +1000, Nick Urbanik via Unbound-users wrote: >> A DNS server running unbound 1.6.3 has these messages; any suggestions >> on what is happening? >> >> error: serviced_tcp_initiate: failed to send

Re: Getting error messages, DNSSEC appears to be working nevertheless

Hi Beeblebrox, I think the issue is that -a adds the root.key file, but you also have the root.key file in your unbound.conf, hence it is added twice. You'd need another unbound.conf file without the root.key statement for unbound-anchor. (unbound.conf supports include: "file" to make that easy

Re: Issues with DNSSEC, use-caps-for-id, and empty responses

Hi Jacob, A quick response would be that I have had a string of bug reports, where other software failed to create correct empty DNSSEC proofs. The DNSSEC proofs would not be correct for a particular corner case, and that corner case was hit by their options. caps for id and also the harden

Re: Unbound QRT

Hi Mahdi, The cache response time is about 0 milliseconds. Combine that with the recursive response time (usually some number of milliseconds) to get the value for all responses. (Of course, not really 0, some fraction rounded to 0, eg. somewhere in 200k - 2M qps, so the response time works out

Re: error: outgoing tcp: bind: Address already in use

Hi Nick, The config number for outgoing tcp is likely too low. outgoing-num-tcp: 1000 Also, you may be running out of port numbers, perhaps this causes the 'bind a tcp socket returns errno Address already in use', because the choice of port number was left to the kernel? Unless you force a

Unbound 1.6.4 release

Hi, Unbound 1.6.4 is available: https://unbound.net/downloads/unbound-1.6.4.tar.gz sha256 df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed pgp https://unbound.net/downloads/unbound-1.6.4.tar.gz.asc This release contains key tag signaling RFC8145 support. B root is renumbered in

Re: [NLnet Labs Maintainers] Unbound 1.6.4rc2 pre-release

Hi, Unbound 1.6.4rc2 release candidate 2 is available: https://unbound.net/downloads/unbound-1.6.4rc2.tar.gz sha256 c9839f7292af75eda5b72d53ef2ea241dadc4bdba0369f9d91f8162cba7946ca pgp https://unbound.net/downloads/unbound-1.6.4rc2.tar.gz.asc This release candidate fixes a recently found heap

Unbound 1.6.4rc1 pre-release

Hi, Unbound 1.6.4rc1 release candidate 1 is available: https://unbound.net/downloads/unbound-1.6.4rc1.tar.gz sha256 54dd9bc2bedc8f171dcad69cb1a64c5b5590ae04284c2eed3515993d86a46dc1 pgp https://unbound.net/downloads/unbound-1.6.4rc1.tar.gz.asc This release contains key tag signaling RFC8145

Unbound 1.6.3 release

Hi, Unbound 1.6.3 is available for download: https://unbound.net/downloads/unbound-1.6.3.tar.gz sha256 4c7e655c1d0d2d133fdeb81bc1ab3aa5c155700f66c9f5fb53fa6a5c3ea9845f pgp https://unbound.net/downloads/unbound-1.6.3.tar.gz.asc This release fixes a spurious assertion failure when unbound receives

  1   2   3   >