Hello Petr, OK thanks for that info - I re-enabled it anyway so things worked. 😊 Two things arise here then: 1). If TCP is disabled then why is unbound trying to use it. (but irrelevant really) 2). Perhaps the more relevant one is: If TCP & UDP are required for full functionality, do we need the options in the configuration file in the first place. # Enable UDP, "yes" or "no". do-udp: yes # Enable TCP, "yes" or "no". do-tcp: yes Perhaps they should both be removed if it is mandatory.
Regards Ray -----Original Message----- From: Petr Špaček <petr.spa...@nic.cz> Sent: 02 August 2018 16:53 To: unbound-users@unbound.net Subject: Re: Disabling TCP use causes issues? Hello Ray, in general TCP is mandatory for proper DNS operation so I would recommend you not to waste time on non-TCP DNS. It will just break in various situations as you saw yourself. Please see standard https://tools.ietf.org/html/rfc7766 which reinforces mandate for TCP support in DNS: DNS Transport over TCP - Implementation Requirements Abstract This document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines .. 1. Introduction This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation. .. I hope it clarifies state of DNS in 2018. Petr Špaček @ CZ.NIC On 2.8.2018 17:15, RayG via Unbound-users wrote: > I decided to try using unbound without enabling TCP so I set “do-tcp: no” > > > > Then I was using the program I have to copy over the settings file and > this includes obtaining any updated roots.hints file from > ftp.internic.net <ftp://ftp.internic.net> as > “ftp://ftp.internic.net/domain/named.cache“ > > > > However when I ran the program I was not able for some time, to reach > the site. > > > > I enabled verbose level 4 and I have a log from: > > > > 02/08/2018 15:19:41 C:\Program Files\Unbound\unbound.exe[9192:0] info: > start of service (unbound 1.7.4_20180716). > > > > At the start I was getting: > > > > C:\Program Files\Unbound>dig ftp.internic.net <ftp://ftp.internic.net> > > > > ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net> > > ;; global options: +cmd > > ;; connection timed out; no servers could be reached > > > > Returned from DIG. > > > > This carried on for some time until the response changed from the above to: > > > > C:\Program Files\Unbound>dig ftp.internic.net <ftp://ftp.internic.net> > > > > ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net> > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50179 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;ftp.internic.net. IN A > > > > ;; Query time: 0 msec > > ;; SERVER: ::1#53(::1) > > ;; WHEN: Thu Aug 02 15:30:31 GMT Summer Time 2018 > > ;; MSG SIZE rcvd: 45 > > > > And then a bit later on I got: > > > > ; <<>> DiG 9.12.2 <<>> ftp.internic.net <ftp://ftp.internic.net> > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37661 > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: > 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;ftp.internic.net. IN A > > > > ;; ANSWER SECTION: > > ftp.internic.net <ftp://ftp.internic.net>. 1035 IN CNAME > internicftp.vip.icann.org. > > internicftp.vip.icann.org. 1036 IN A 192.0.47.9 > > > > ;; Query time: 31 msec > > ;; SERVER: ::1#53(::1) > > ;; WHEN: Thu Aug 02 15:33:38 GMT Summer Time 2018 > > ;; MSG SIZE rcvd: 100 > > > > The log is some 2.2MB so I did not want to attach is to this post > > > > Here are what I hope are some salient clues from the log: > > > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] info: > validator operate: query c.gtld-servers.net. A IN > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > querying for next missing target > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > return error response SERVFAIL > > > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] info: > validator operate: query c.gtld-servers.net. A IN > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > validator: nextmodule returned > > 02/08/2018 15:19:50 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > cannot validate non-answer, rcode SERVFAIL > > > > 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > request has dependency depth of 5 > > 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > request has exceeded the maximum dependency depth with depth of 5 > > 02/08/2018 15:19:51 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > return error response SERVFAIL > > > > 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > processQueryTargets: targetqueries 0, currentqueries 0 sentcount 33 > > 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > request has exceeded the maximum number of sends with 33 > > 02/08/2018 15:22:19 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > return error response SERVFAIL > > > > From the configuration file: > > > > # Enable IPv4, "yes" or "no". > > do-ip4: yes > > > > # Enable IPv6, "yes" or "no". > > do-ip6: yes > > > > # Enable UDP, "yes" or "no". > > do-udp: yes > > > > # Enable TCP, "yes" or "no". > > do-tcp: no > > > > I also notice some of these lines in the log but TCP is not enabled?: > > > > 02/08/2018 15:19:56 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > tcp error for address ip4 199.254.50.1 port 53 (len 16) > > 02/08/2018 15:21:08 C:\Program Files\Unbound\unbound.exe[9192:1] debug: > tcp error for address ip6 2620:74:19::33 port 53 (len 28) > > > > Any thoughts? > > > > Regards > > Ray