On 03/20/2013 06:39 PM, Paul Wouters wrote: > On Wed, 20 Mar 2013, Erinn Looney-Triggs wrote: > >> There is a bugzilla open about a similar >> issue:https://bugzilla.redhat.com/show_bug.cgi?id=824219 , but from my >> reading it looks like it went off in another direction. >> >> The issue I am running into comes in when resolving fedorapeople.org >> domains which are DLV signed. Specifically fkooman.fedorapeople.org but >> any other *.fedorapeople.org domains seem to fail, and only with unbound >> in my testing thus far. Straight bind will return the result. > > It works for me using unbound: > > paul@bofh:~$ dig +dnssec fkooman.fedorapeople.org > > ; <<>> DiG 9.9.2-rl.028.23-P1-RedHat-9.9.2-8.P1.fc18 <<>> +dnssec > fkooman.fedorapeople.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65193 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;fkooman.fedorapeople.org. IN A > > ;; ANSWER SECTION: > fkooman.fedorapeople.org. 60 IN A 152.19.134.191 > fkooman.fedorapeople.org. 60 IN RRSIG A 5 2 60 20130418182632 > 20130319182632 378 fedorapeople.org. > 7YhhtMeCLSq1wIYnWW3gQvL1hIKnYLO0ffIEQbhKPJ0dSadnipAxxSiJ > k8pY2VwvvvNZ+bJoX3PYJAG/jmA7uUnYuK/Zx0OUjkU+Fmc7dOSBlQJp > +ikA73Lcv2KjBF0Nbq4LFG11O8MDOdDi1zZ8XrYCdlQkS/PqKoZzcX9m b+A= > > ;; AUTHORITY SECTION: > *.fedorapeople.org. 86312 IN NSEC fedorapeople.org. A AAAA > RRSIG NSEC > *.fedorapeople.org. 86312 IN RRSIG NSEC 5 2 86400 > 20130418182632 20130319182632 378 fedorapeople.org. > 8DbC9OUD7p+274jhuNpJJA7SgTgCk3ArqaPE5dj/raZNvJcC5Wd1eoiH > 72nxwdpyyfX3szQa1iq82/jmfMzohQ45MFK+nNusJMysjlkmGnkZQjKp > MqBAuQBQ2WosUOfwG290TTGiXRiapvYVw15odvsTL4wKHzEcYmRbtbnq WyU= > > ;; Query time: 127 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Wed Mar 20 20:38:16 2013 > ;; MSG SIZE rcvd: 461 > > >> My guess is that it has to do with the *.fedorapeople.org record, but I >> am no expert, or perhaps DLV plays into it? There aren't a great deal of >> sites that I know of to compare this to. >> >> Can anyone else confirm or deny this issue with their unbound? > > The issue, as the bug described it, is that _if_ unbound is configured > to use a bind server as forwarder, that bind needs to have RT#21409 > fixed for it to work properly. > > Paul
Paul, Thanks for taking a look I appreciate your time. It looks like the problem is a combination of unbound, dnssec-trigger, and bind. My lack of understanding of dnssec-trigger also played a large part. So it looks like dnssec-trigger sets . to forward to the upstream DNS resolver if DHCP dns addresses are available for use. So in my case it looks like my ISP is running bind and this in turn creates the issue for me. After running unbound-control forward_remove . I was able to resolve the address as I should. Thanks again for checking and for updating the bug, -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
