Hi all, I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS records are published to the parent yet).
A nagios plugin had been regularly alarming that the zone was unsigned, and indeed when I queried the Unbound resolver that our monitoring server uses the RRSIG had been stripped out of the reply: --------8<-------- >> dig @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec ; <<>> DiG 9.7.3 <<>> @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA ;; ANSWER SECTION: 0.7.7.0.1.0.0.2.ip6.arpa. 814 IN SOA ns.heanet.ie. hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600 --------8<-------- An identical resolver returns the correct record however: --------8<-------- >> dig @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec ; <<>> DiG 9.7.3 <<>> @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47300 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA ;; ANSWER SECTION: 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN SOA ns.heanet.ie. hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN RRSIG SOA 8 10 3600 20111226202852 20111220000932 45295 0.7.7.0.1.0.0.2.ip6.arpa. BWYHZQK8cxu71ysSVKeUAQobe270QWIm4zwXFloBZy8VkvH3OCQdskoB Xu6Ff7Hql8qi85y7yoAIMofDLLtPfBue1QLIYPT/ioBM81XYJqLJOHwd gqUUoaR1hufB0ewiCO04QwY2Mq985VzsZyAQ4n+E1OiuRqpvUOCEBoDh uYk= --------8<-------- Manually flushing the record, restarting unbound, or waiting for the TTL to expire causes the resolver to re-fetch the missing RRSIGs and things continue as normal, but the problem seems to re-appear every couple of days according to the nagios plugin logs. Nothing obvious turns up in the logs on the resolver, at verbosity 2 at least, should I increase the verbosity to something noisier? rg -- Rob Gallagher | Public Key: 0x1DD13A78 HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1. Registered in Ireland, no 275301 T: (+353-1) 6609040 F: (+353-1) 6603666 WWW: http://www.heanet.ie/
signature.asc
Description: PGP signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
