Am 20.08.2013 14:20, schrieb W.C.A. Wijngaards:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Over,
So the replies from maradns are fine, but then you have DNSSEC
validation enabled. But DNSSEC replies do not make it from the
internet to you.
This bit:
servselect ip4 195.243.137.26 port 53 (len 16) Aug 19 15:36:09
unbound[8442:0] debug: rtt=48128 Aug 19 15:36:09 unbound[8442:0]
debug: selrtt 48128 Aug 19 15:36:09 unbound[8442:0] info: sending
query: de. DNSKEY IN
So, queries for the root DNSKEY, .de DNSKEY all time out. Probably,
you have a firewall that blocks DNS traffic bigger then 512. Fix the
firewall or router.
Or, you somehow drop all traffic with EDNS0 in it. The firewall
deep-inspects and drops DNS traffic with EDNS0 extensions (needed for
DNSSEC).
This is very important info, thanks.
Another option is to disable dnssec validation. But it is better to
fix your network firewalls, routers or other filtering, that drops
DNSSEC answers (such as the de DNSKEY).
Yet another option is to configure unbound to advertise an EDNS size
of 512.
Since I need the unbound to serve information (gathered from internal
servers) even when the internet is unavailable, I probably have to
disable DNSSEC.
This solved my problem. Thanks a lot for your help and best regards, jo
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
