On 24/08/2011 13:47, [email protected] wrote:
>
> Looks for me like EDNS problem. At least some part of the .be zone is
DNSSEC signed an the replies get bigger than 512 Byte like with "dig
x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in case
of trouble, not sure if Unbound does the same. What you should check:
> - Do the trouble domain/names resolve with unbound if you use
checking disabled (+cdflag)
> - Do you have any firewall device in front of your resolvers maybe
some Cisco inspecting DNS traffic
> - Do you have disabled Unbound tcp
>
> For some hints on the problem have a look here:
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> Regards
>
> Andreas
Hi,
Thank you for helping my case. Here are my answers.
- I have no firewall or other device inspecting the traffic in front of
the box, only packet filtering with iptables.
- In the config file I have:
# Enable TCP, "yes" or "no".
# do-tcp: yes
# edns-buffer-size: 4096
So I assume that by default tcp is enabled.
Following your suggestions I tried
(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag
; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leoS.leonidas.be. IN A
;; Query time: 14 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:38 2011
;; MSG SIZE rcvd: 34
(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag +tcp
; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; Query time: 9 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:53 2011
;; MSG SIZE rcvd: 34
(initial settings)
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;rs.dns-oarc.net. IN TXT
;; ANSWER SECTION:
rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59 IN CNAME
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 DNS
reply size limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 sent
EDNS buffer size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24
12:38:52 UTC"
;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
ns00.x3843.x3837.x3827.rs.dns-oarc.net.
;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
;; Query time: 5972 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:38:52 2011
;; MSG SIZE rcvd: 307
Then I changed the following two settings:
do-tcp: yes
edns-buffer-size: 512
I restarted the unbound daemon. I find immediately the following
messages in the log:
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating
DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
request: out of memory
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating
DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
request: out of memory
I repeated my tests from before:
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; connection timed out; no servers could be reached
1 minute later
# dig @resolv1 leos.leonidas.be +nodnssec
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 3600 IN A 81.246.74.153
;; Query time: 56 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:46:49 2011
;; MSG SIZE rcvd: 50
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 2834 IN A 81.246.74.153
;; Query time: 5 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:35 2011
;; MSG SIZE rcvd: 50
# dig @resolv1 leos.leonidas.be +dnssec
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 2825 IN A 81.246.74.153
;; Query time: 16 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:44 2011
;; MSG SIZE rcvd: 61
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; connection timed out; no servers could be reached
As in the meantime my cacti monitoring signals me lots of Dropped
packets, and as the reaction of the server seems slower to me
(subjective feeling), I put back the initial settings.
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; Query time: 10 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:06:58 2011
;; MSG SIZE rcvd: 34
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;rs.dns-oarc.net. IN TXT
;; ANSWER SECTION:
rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59 IN CNAME
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply size
limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS buffer
size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24
14:07:15 UTC"
;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
ns00.x3843.x3837.x3827.rs.dns-oarc.net.
;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
;; Query time: 1073 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:07:15 2011
;; MSG SIZE rcvd: 307
kind regards
Leo Bush
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
