Zitat von Leo Bush <[email protected]>:
Dear all,
Since one month our company uses unbound-1.4.8-1 on two RH6 servers
as caching and resolving servers with IPv6 and DNSSec enabled. These
two servers deal with all our DNS traffic, generated by all our
customers (2x 5Mbps peak traffic). They work as stand alone servers,
no complicated network components (Load balancer...) around.
At the beginning we used to activate the option use-caps-for-id, but
since we got complaints from customers that certain domains were
available everywhere in the world except at us, we preferred to
deactivate.
Currently we face the following rather strange problem:
Under normal working conditions, in 70-90% of the time our two
production servers cannot resolve domains registered at
register.be and lying on the three authoritative name servers
ns1.register.be, ns3.register.be, ns2.register.be (example:
leonidas.be, estates.lu). They return me a SERVFAIL. register.be
itself works all the time. By chance it sometimes works correctly
for a brief period of time. Even though it was not easy due to the
thousands of packets passing through in a second, I succeeded to
trace the packets the server sends to the authoritative servers and
it gets correct answers back.
I tried to install unbound 1.4.8 with the same configuration file
(see attachment) on a desktop machine and there was no issue. All
resolutions against domains at register.be were immediate and correct.
As customers continued to complain I was forced to take one server
out of production and to replace it with bind which works correctly.
Now I have one server with unbound that has the problem and one
server with bind, that works fine in production. The formerly faulty
unbound server that is now offloaded currently responds correctly at
all tests (no restart done, no reboot done, just IP address switched).
Does anybody have an idea how I can solve this problem? Shall I
offer you more technical information? Do you have further tests to
suggest?
Looks for me like EDNS problem. At least some part of the .be zone is
DNSSEC signed an the replies get bigger than 512 Byte like with "dig
x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in
case of trouble, not sure if Unbound does the same. What you should
check:
- Do the trouble domain/names resolve with unbound if you use checking
disabled (+cdflag)
- Do you have any firewall device in front of your resolvers maybe
some Cisco inspecting DNS traffic
- Do you have disabled Unbound tcp
For some hints on the problem have a look here:
https://www.dns-oarc.net/oarc/services/replysizetest
Regards
Andreas
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
