Hi, after two days of investigations I'm feeling a bit desperate...
I install unbound to be used by postfix, which does reverse
lookups of hostnames and started to reject all email because
unbound can't do that, it seems.
Using my normal resolver:
>dig google.com | grep '^google.com'
google.com. 2400 IN A 142.251.36.46
>dig -x 142.251.36.46 | grep '^46'
46.36.251.142.in-addr.arpa. 61312 IN PTR ams17s12-in-f14.1e100.net.
I have unbound listening on 127.25.0.53:
>dig -x 142.251.36.46 @127.25.0.53
;; communications error to 127.25.0.53#53: timed out
;; communications error to 127.25.0.53#53: timed out
;; communications error to 127.25.0.53#53: timed out
; <<>> DiG 9.20.13 <<>> -x 142.251.36.46 @127.25.0.53
;; global options: +cmd
;; no servers could be reached
Logs of unbound during this:
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] query: 127.0.0.1
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 199.180.182.53#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving x.arin.net.
A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving z.arin.net.
A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<142.in-addr.arpa.> 192.82.134.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.>
192.54.112.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.>
192.55.83.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.>
192.33.14.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<google.com.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<google.com.> 216.239.34.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<google.com.> 216.239.34.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<251.142.in-addr.arpa.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
nodata ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
ns1.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
ns1.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<google.com.> 216.239.38.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<251.142.in-addr.arpa.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
nodata ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
z.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <arin.net.>
199.212.0.108#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
x.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <arin.net.>
199.212.0.108#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<251.142.in-addr.arpa.> 216.239.38.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 199.253.183.183#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was
NXDOMAIN ANSWER
Oct 17 20:57:02 daniel unbound[199121]: [199121:0] query: 127.0.0.1
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 200.10.60.53#53
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: query response was
NXDOMAIN ANSWER
Oct 17 20:57:07 daniel unbound[199121]: [199121:0] query: 127.0.0.1
46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 193.0.9.1#53
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: query response was
NXDOMAIN ANSWER
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 199.180.182.53#53
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: query response was
NXDOMAIN ANSWER
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: reply from
<in-addr.arpa.> 196.216.169.10#53
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: query response was
NXDOMAIN ANSWER
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: generate keytag query
_ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: resolving
in-addr.arpa. DNSKEY IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN Oct 17 20:57:32 daniel
unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN Oct 17 20:57:32 daniel
unbound[199121]: [199121:0] info: reply from <in-addr.arpa.>
200.10.60.53#53 Oct 17 20:57:32 daniel unbound[199121]: [199121:0]
info: query response was NXDOMAIN ANSWER Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: failed to prime trust anchor -- could
not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: Could not establish a chain of trust
to keys for in-addr.arpa. DNSKEY IN Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: validation failure
<46.36.251.142.in-addr.arpa. PTR IN>: no DNSKEY rrset [all servers for
this domain failed, at zone in-addr.arpa. from 196.216.169.10 upstream
server timeout] for trust anchor in-addr.arpa. while building chain of
trust
The reason this seems to fail is because unbound tries to connect with
tcp (after an udp failure) to an .in-addr.arpa. root server, which doesn't
like that and immediately closes the connection.
The root server closes the connection because RD=0 (Recursion desired),
which is correct I think: unbound should not ask root servers for a DNSKEY.
I can simulate this from the command line:
>dig @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit | grep
>'257'
in-addr.arpa. 2370 IN DNSKEY 257 3 8
AwEAAbNX16PjL99cu7CpO7Nt5EXoq8k6TCZpzxz13wCITdkwIce4UrzUqw7b76WH7N3KKAb4uJgmswkujk+gYMqnMAwNBFELrCDDkflw2AIjFPXBd2Txw8o3H5of2uIbAijm76B562VIiT3p0RIP1SH4eA+wHwYmqM3o/PiYfCxQD1c+EJx6b6dRcKAfeX4XMSsM6DyI6tjLGZ//w/IspRnbRb6Q36zWNyPPY2+5fqkaJ/94OKapvXTCUpWsNqKYlOxMwovwW9a2uBIgldzSq9mCtGUXU7mRZkwUIpnzA5Qe+lYdimWnzve7BXVs8ZZUyNhlDMlWYUrYHiaJ0uESYAWZQ98=
in-addr.arpa. 2370 IN DNSKEY 257 3 8
AwEAAbdOaEhLDa/H2m+hbXBHiAUE95PgpL2358lkJCBmb2Dn7aImc5sqoaEa48hlabMuG2PfnbWd3ttpVXX6mwLRMppyhJeBbr1q2YWtzi+Xx5modXLKSDPuLliLUQ1oPnq2QWK7BUNwmV70gQSOx78vkisDqFzocC2aiFAi+D2r45GPvtBMbjfCA1FB0SELeUCsxhgoAHphO5T6ITCrOccM7XX7A4qRbcbS65HOcbT+UDG9OoXjmw2j8mWgJXrpwvdsskaISrTivzcqadgOinSgAL3bVYFKCkiVBmx87d88v+OuK+358xsUIU+0MzXUidLS8086BpdiEW4cJ6c08oDyC10=
>dig @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit
>+norecurse
;; communications error to 193.0.9.1#53: end of file
;; communications error to 193.0.9.1#53: end of file
;; communications error to 193.0.9.1#53: end of file
; <<>> DiG 9.20.13 <<>> @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec
+tcp +nosplit +norecurse
; (1 server found)
;; global options: +cmd
;; no servers could be reached
Am I correct to think that the problem is that unbound tries to do that last
thing at all, while it shouldn't?
I tried to added a trust-anchor with the above data, but that didn't help.
The only change is that now unbound sets the bit "Non-authenticated
data: Acceptable" - but the root server still immediately closes the connection.
Isn't this a bug in unbound or am I doing something wrong?
Current config:
>grep -v '^[[:space:]]*#' unbound.conf | grep -v '^$'
server:
verbosity: 2
interface: 127.25.0.53
outgoing-interface: 192.168.132.70
so-sndbuf: 0
edns-buffer-size: 1232
do-ip6: no
do-daemonize: no
username: "unbound"
log-time-iso: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-destaddr: yes
log-servfail: yes
trust-anchor-file: "/etc/unbound/trusted-key.key"
trust-anchor-file: "/etc/unbound/trust-anchors.d/in-addr.arpa.key"
pad-responses: yes
python:
dynlib:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
where
>cat /etc/unbound/trust-anchors.d/in-addr.arpa.key
in-addr.arpa. DNSKEY 257 3 8
AwEAAbNX16PjL99cu7CpO7Nt5EXoq8k6TCZpzxz13wCITdkwIce4UrzUqw7b76WH7N3KKAb4uJgmswkujk+gYMqnMAwNBFELrCDDkflw2AIjFPXBd2Txw8o3H5of2uIbAijm76B562VIiT3p0RIP1SH4eA+wHwYmqM3o/PiYfCxQD1c+EJx6b6dRcKAfeX4XMSsM6DyI6tjLGZ//w/IspRnbRb6Q36zWNyPPY2+5fqkaJ/94OKapvXTCUpWsNqKYlOxMwovwW9a2uBIgldzSq9mCtGUXU7mRZkwUIpnzA5Qe+lYdimWnzve7BXVs8ZZUyNhlDMlWYUrYHiaJ0uESYAWZQ98=
in-addr.arpa. DNSKEY 257 3 8
AwEAAbdOaEhLDa/H2m+hbXBHiAUE95PgpL2358lkJCBmb2Dn7aImc5sqoaEa48hlabMuG2PfnbWd3ttpVXX6mwLRMppyhJeBbr1q2YWtzi+Xx5modXLKSDPuLliLUQ1oPnq2QWK7BUNwmV70gQSOx78vkisDqFzocC2aiFAi+D2r45GPvtBMbjfCA1FB0SELeUCsxhgoAHphO5T6ITCrOccM7XX7A4qRbcbS65HOcbT+UDG9OoXjmw2j8mWgJXrpwvdsskaISrTivzcqadgOinSgAL3bVYFKCkiVBmx87d88v+OuK+358xsUIU+0MzXUidLS8086BpdiEW4cJ6c08oDyC10=
but well - that should be necessary because I don't see any mention of
something like that in any documentation online :/
Please help,
Carlo
