-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rob,
On 12/21/2011 03:28 PM, Rob Gallagher wrote: > Hi all, > > I noticed a strange issue with one of our Unbound 1.4.1 resolvers and a > signed zone that we maintain (0.7.7.0.1.0.0.2.ip6.arpa - no DS > records are published to the parent yet). Try updating to 1.4.14, apart from the vuln patch there have been a number of fixes inthe meantime with handling EDNS-timeouts and fragmentation issues. You perhaps have such fragmentation issues. It is also a good idea to perform the oarc edns reply size test, see if packets larger than 1500 go there, fix you old routers, firewalls to handle UDP fragments (the upgrade may workaround it, but this will fix it and make your nameservers run better (EDNS larger sizes work)). Best regards, Wouter > A nagios plugin had been regularly alarming that the zone was > unsigned, and indeed when I queried the Unbound resolver that our > monitoring server uses the RRSIG had been stripped out of the reply: > > --------8<-------- > >>> dig @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec > > ; <<>> DiG 9.7.3 <<>> @windu 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42217 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA > > ;; ANSWER SECTION: > 0.7.7.0.1.0.0.2.ip6.arpa. 814 IN SOA ns.heanet.ie. > hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600 > > --------8<-------- > > An identical resolver returns the correct record however: > > --------8<-------- > >>> dig @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec > > ; <<>> DiG 9.7.3 <<>> @dooku 0.7.7.0.1.0.0.2.ip6.arpa soa +dnssec > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47300 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;0.7.7.0.1.0.0.2.ip6.arpa. IN SOA > > ;; ANSWER SECTION: > 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN SOA ns.heanet.ie. > hostmaster.heanet.ie. 2011122000 7200 7200 432000 3600 > 0.7.7.0.1.0.0.2.ip6.arpa. 111 IN RRSIG SOA 8 10 > 3600 20111226202852 20111220000932 45295 0.7.7.0.1.0.0.2.ip6.arpa. > BWYHZQK8cxu71ysSVKeUAQobe270QWIm4zwXFloBZy8VkvH3OCQdskoB > Xu6Ff7Hql8qi85y7yoAIMofDLLtPfBue1QLIYPT/ioBM81XYJqLJOHwd > gqUUoaR1hufB0ewiCO04QwY2Mq985VzsZyAQ4n+E1OiuRqpvUOCEBoDh uYk= > > --------8<-------- > > Manually flushing the record, restarting unbound, or waiting for the > TTL to expire causes the resolver to re-fetch the missing RRSIGs and > things continue as normal, but the problem seems to re-appear every > couple of days according to the nagios plugin logs. > > Nothing obvious turns up in the logs on the resolver, at verbosity 2 at > least, should I increase the verbosity to something noisier? > > rg > > > > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO9baHAAoJEJ9vHC1+BF+NMfEP/2ACDWrJCZmOAhzY4AvEL/zw zSaDoBaSoYt5zOIyFHvHDWQGRSdcwjEwuuHm6zggtRjKlug6pG2Y2LST/20j6zlh bKXDD1/vISCOQL5V+qW5J+p31mGjBJ0uSo7ZfJPlp8iZEna4NBJKVrhsKECj1yy/ C9MjdGnssnI+/cwn8YFVMhzeFtXOyGIT/4bQXrvqcQZzr4nxz+F228cEHnFce/Nw B9hEn+8aASmmBoYlXjEWDsGllt7Zo2Nsdkb6M7EnLlRJz6HlzpWU0LVLyXyarrqr vWcJctf0i+IPF/d3C6JCPYM9FXZtACrjDFoQOXGkEKWss1OhvbgbKVSP3E4M83Kh +MxONjOMeHDPKlaOKMHiUA+W0wjnQVcOFuAR3Z/spgpyGJ2+fZelwBX6ftqDo1SA b6dHupT3tSx3WV9y/NeyNPjlnsWHDnsQLN9jDfLgg2rPJCijMO5kx+M8DWxRO7+T Mw7UoXYz+PsNTb5S7ZQb3zX3D1DZ411q8qB87+W6m98u8NsvcJUOdPMif1JzZca3 hRzSyB5nvW9yQwmkeAMr1ypNJKlwMokwJhSKpe1gMABxyBueb+7LrG+6wntRu33Z rx3QU4Tej7UgR3tVHLIc48BVbqgI7cQXlLRKjZ+LgyyZYeFuRNZgwz4oKS5VLPIy 9sB6vbLgL259Uc1n5l/t =4nTw -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
