Dear all,
Since one month our company uses unbound-1.4.8-1 on two RH6 servers as
caching and resolving servers with IPv6 and DNSSec enabled. These two
servers deal with all our DNS traffic, generated by all our customers
(2x 5Mbps peak traffic). They work as stand alone servers, no
complicated network components (Load balancer...) around.
At the beginning we used to activate the option use-caps-for-id, but
since we got complaints from customers that certain domains were
available everywhere in the world except at us, we preferred to deactivate.
Currently we face the following rather strange problem:
Under normal working conditions, in 70-90% of the time our two
production servers cannot resolve domains registered at register.be
and lying on the three authoritative name servers ns1.register.be,
ns3.register.be, ns2.register.be (example: leonidas.be, estates.lu).
They return me a SERVFAIL. register.be itself works all the time. By
chance it sometimes works correctly for a brief period of time. Even
though it was not easy due to the thousands of packets passing through
in a second, I succeeded to trace the packets the server sends to the
authoritative servers and it gets correct answers back.
I tried to install unbound 1.4.8 with the same configuration file (see
attachment) on a desktop machine and there was no issue. All resolutions
against domains at register.be were immediate and correct.
As customers continued to complain I was forced to take one server out
of production and to replace it with bind which works correctly. Now I
have one server with unbound that has the problem and one server with
bind, that works fine in production. The formerly faulty unbound server
that is now offloaded currently responds correctly at all tests (no
restart done, no reboot done, just IP address switched).
Does anybody have an idea how I can solve this problem? Shall I offer
you more technical information? Do you have further tests to suggest?
kind regards and thank you for advices
Leo Bush
server:
verbosity: 1
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
num-threads: 2
interface: 0.0.0.0
interface: 2001:7e8:f00:2::1
interface-automatic: no
outgoing-range: 768
so-rcvbuf: 2m
so-sndbuf: 2m
msg-cache-size: 150m
msg-cache-slabs: 2
rrset-cache-size: 300m
rrset-cache-slabs: 2
infra-cache-slabs: 2
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: 178.141.128.0/18 allow
...
access-control: 2001:7e9::/32 allow
chroot: ""
username: "unbound"
directory: "/etc/unbound"
log-time-ascii: yes
pidfile: "/var/run/unbound/unbound.pid"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: no
unwanted-reply-threshold: 10000000
prefetch: yes
prefetch-key: yes
auto-trust-anchor-file: "/etc/unbound/root.key"
val-clean-additional: yes
val-permissive-mode: no
val-log-level: 1
key-cache-slabs: 2
remote-control:
control-enable: yes
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
