Zitat von Leo Bush <[email protected]>:
On 24/08/2011 13:47, [email protected] wrote:
Looks for me like EDNS problem. At least some part of the .be zone
is DNSSEC signed an the replies get bigger than 512 Byte like with
"dig x.dns.be A +dnssec". Bind has a feature to reduce the EDNS
size in case of trouble, not sure if Unbound does the same. What
you should check:
- Do the trouble domain/names resolve with unbound if you use
checking disabled (+cdflag)
- Do you have any firewall device in front of your resolvers maybe
some Cisco inspecting DNS traffic
- Do you have disabled Unbound tcp
For some hints on the problem have a look here:
https://www.dns-oarc.net/oarc/services/replysizetest
Regards
Andreas
Hi,
Thank you for helping my case. Here are my answers.
- I have no firewall or other device inspecting the traffic in front
of the box, only packet filtering with iptables.
- In the config file I have:
# Enable TCP, "yes" or "no".
# do-tcp: yes
# edns-buffer-size: 4096
So I assume that by default tcp is enabled.
Following your suggestions I tried
(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag
; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leoS.leonidas.be. IN A
;; Query time: 14 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:38 2011
;; MSG SIZE rcvd: 34
(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag +tcp
; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; Query time: 9 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:53 2011
;; MSG SIZE rcvd: 34
(initial settings)
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;rs.dns-oarc.net. IN TXT
;; ANSWER SECTION:
rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59 IN CNAME
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101
DNS reply size limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101
sent EDNS buffer size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at
2011-08-24 12:38:52 UTC"
;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
ns00.x3843.x3837.x3827.rs.dns-oarc.net.
;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
;; Query time: 5972 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:38:52 2011
;; MSG SIZE rcvd: 307
Then I changed the following two settings:
do-tcp: yes
edns-buffer-size: 512
I restarted the unbound daemon. I find immediately the following
messages in the log:
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error
generating DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
request: out of memory
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error
generating DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
request: out of memory
This doesn't look good anyway. Are you low on memeory? What are the
other unbound settings look like?
I repeated my tests from before:
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; connection timed out; no servers could be reached
1 minute later
# dig @resolv1 leos.leonidas.be +nodnssec
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 3600 IN A 81.246.74.153
;; Query time: 56 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:46:49 2011
;; MSG SIZE rcvd: 50
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 2834 IN A 81.246.74.153
;; Query time: 5 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:35 2011
;; MSG SIZE rcvd: 50
# dig @resolv1 leos.leonidas.be +dnssec
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; ANSWER SECTION:
leos.leonidas.be. 2825 IN A 81.246.74.153
;; Query time: 16 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:44 2011
;; MSG SIZE rcvd: 61
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; connection timed out; no servers could be reached
As in the meantime my cacti monitoring signals me lots of Dropped
packets, and as the reaction of the server seems slower to me
(subjective feeling), I put back the initial settings.
# dig @resolv1 leos.leonidas.be
; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;leos.leonidas.be. IN A
;; Query time: 10 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:06:58 2011
;; MSG SIZE rcvd: 34
# dig @resolv1 rs.dns-oarc.net txt
; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;rs.dns-oarc.net. IN TXT
;; ANSWER SECTION:
rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59 IN CNAME
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply
size limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS
buffer size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at
2011-08-24 14:07:15 UTC"
;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
ns00.x3843.x3837.x3827.rs.dns-oarc.net.
;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
;; Query time: 1073 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:07:15 2011
;; MSG SIZE rcvd: 307
There lately was an issue with priming the root with DNSSEC last very
long in some cases...
What are the settings for your trusted keys and do you use IPv6?
Regards
Andreas
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
