Date: Tue, 15 Mar 2016 12:28:55 +0100 From: Andrea Brancatelli <abrancatelli@schema31.it> To: freebsd-stable@FreeBSD.org Subject: Problems with unbound Message-ID: <f7856f2cc504efd0449091308a97f339@schema31.it>
next in thread | raw e-mail | index | archive | help
Hello everybody, we're suddenly having problems with unbound on almost all of our servers and I cannot really understand why. To make a long story short, we use this forward.conf: root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. forward-zone: name: . forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 Enabling this: auto-trust-anchor-file: /var/unbound/root.key in /etc/unbound/unbound.conf gives me this: root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org ;; connection timed out; no servers could be reached simply disabling that line gives me this: root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org update.freebsd.org is an alias for update5.freebsd.org. update5.freebsd.org has address 204.9.55.80 update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 update5.freebsd.org mail is handled by 0 . What's going on? root@dbengine-ent-rm-01:/var/unbound # freebsd-version 10.2-RELEASE-p13 Thanks. -- Andrea Brancatelli Schema31 S.p.a. Responsabile IT ROMA - BO - FI - PA ITALY Tel: +39. 06.98.358.472 Cell: +39 331.2488468 Fax: +39. 055.71.880.466 Società del Gruppo SC31 ITALIA From owner-freebsd-stable@freebsd.org Tue Mar 15 15:17:48 2016 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ACAFEAD2C84 for <freebsd-stable@mailman.ysv.freebsd.org>; Tue, 15 Mar 2016 15:17:48 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.fagskolen.gjovik.no", Issuer "Fagskolen i Gj??vik" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B7B09ED for <freebsd-stable@FreeBSD.org>; Tue, 15 Mar 2016 15:17:48 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.15.2/8.15.2) with ESMTPS id u2FCgQPZ003886 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 15 Mar 2016 13:42:26 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.15.2/8.15.2/Submit) with ESMTP id u2FCgPjh003883; Tue, 15 Mar 2016 13:42:25 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Tue, 15 Mar 2016 13:42:25 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> Sender: Trond.Endrestol@fagskolen.gjovik.no To: Andrea Brancatelli <abrancatelli@schema31.it> cc: freebsd-stable@FreeBSD.org Subject: Re: Problems with unbound In-Reply-To: <f7856f2cc504efd0449091308a97f339@schema31.it> Message-ID: <alpine.BSF.2.20.1603151338550.1010@mail.fig.ol.no> References: <f7856f2cc504efd0449091308a97f339@schema31.it> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>; List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 15 Mar 2016 15:17:48 -0000 On Tue, 15 Mar 2016 12:28+0100, Andrea Brancatelli wrote: > Hello everybody, > > we're suddenly having problems with unbound on almost all of our servers > and I cannot really understand why. > > To make a long story short, we use this forward.conf: > > root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4 > > Enabling this: > > auto-trust-anchor-file: /var/unbound/root.key > > in /etc/unbound/unbound.conf gives me this: > > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached > > simply disabling that line gives me this: > > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 . > > What's going on? There's at least two possibilities: 1. Your ISP limits the use of DNS, in particular when DNSSEC is involved, or 2. The Google DNS resolvers doesn't support DNSSEC. I haven't verified the latter, but I would guess Google are competent enough to allow DNSSEC. > root@dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13 > > Thanks. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-stable@freebsd.org Tue Mar 15 15:19:09 2016 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6ED0EAD2D83 for <freebsd-stable@mailman.ysv.freebsd.org>; Tue, 15 Mar 2016 15:19:09 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1046DD08 for <freebsd-stable@freebsd.org>; Tue, 15 Mar 2016 15:19:08 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id C1C127C27 for <freebsd-stable@freebsd.org>; Tue, 15 Mar 2016 12:53:59 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201601-infracaninophile; t=1458046439; bh=M51m/BONVSMrmRgRqOkF/+mjuc+gJZPn2w4qa2XiQXs=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20Problems=20with=20unbound|To:=20freebsd-stable@f reebsd.org|References:=20<f7856f2cc504efd0449091308a97f339@schema3 1.it>|From:=20Matthew=20Seaman=20<m.seaman@infracaninophile.co.uk> |Date:=20Tue,=2015=20Mar=202016=2012:53:59=20+0000|In-Reply-To:=20 <f7856f2cc504efd0449091308a97f339@schema31.it>; b=gzPgmrgi1towUpRKVQeTwoB81Z1jz4/ZKWUajhMNnl/4PQQebNH5xLapRJc2pke2x SQy/wOpH9vwbdSszkTvRZknD0k2ROcbsjwd760pKroLxRWobGewOosGImur8zt0FBq +0O3ww++G40gHW5GxhZ/DKEaUrAWJBj0oI7d3sjY= Subject: Re: Problems with unbound To: freebsd-stable@freebsd.org References: <f7856f2cc504efd0449091308a97f339@schema31.it> From: Matthew Seaman <m.seaman@infracaninophile.co.uk> Message-ID: <56E805E7.7000902@infracaninophile.co.uk> Date: Tue, 15 Mar 2016 12:53:59 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: <f7856f2cc504efd0449091308a97f339@schema31.it> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cEFFWGwGWqbkEN6BjnjHW3rpEQooRN1Dw" X-Virus-Scanned: clamav-milter 0.99 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU, RDNS_NONE, SPF_FAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>; List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 15 Mar 2016 15:19:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cEFFWGwGWqbkEN6BjnjHW3rpEQooRN1Dw Content-Type: multipart/mixed; boundary="GMJefDOoiG8nCskAoIbT6NthmklBtdIE2" From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-stable@freebsd.org Message-ID: <56E805E7.7000902@infracaninophile.co.uk> Subject: Re: Problems with unbound References: <f7856f2cc504efd0449091308a97f339@schema31.it> In-Reply-To: <f7856f2cc504efd0449091308a97f339@schema31.it> --GMJefDOoiG8nCskAoIbT6NthmklBtdIE2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/15/16 11:28, Andrea Brancatelli wrote: > Hello everybody,=20 >=20 > we're suddenly having problems with unbound on almost all of our server= s > and I cannot really understand why.=20 >=20 > To make a long story short, we use this forward.conf:=20 >=20 > root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4=20 >=20 > Enabling this:=20 >=20 > auto-trust-anchor-file: /var/unbound/root.key=20 >=20 > in /etc/unbound/unbound.conf gives me this:=20 >=20 > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached=20 >=20 > simply disabling that line gives me this:=20 >=20 > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 .=20 >=20 > What's going on?=20 >=20 > root@dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13=20 Do you have a firewall between those machines and the Internet? Does it assume that DNS queries never use anything more than 512byte UDP packets? Does it try and rewrite data in DNS queries? Doing either of those things will cause breakage when using a DNSSEC enabled DNS resolver -- and DNSSEC support is pretty much the whole point of local_unbound. If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it should show you if you have any problems with reply lengths. Firewalls that try and modify DNS queries on the fly just need to be eradicated. It's a dumb idea and indistinguishable from certain types of malicious attack. Cheers, Matthew --GMJefDOoiG8nCskAoIbT6NthmklBtdIE2-- --cEFFWGwGWqbkEN6BjnjHW3rpEQooRN1Dw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJW6AXnAAoJEABRPxDgqeTnOsUP/REiftJO/hlEaiwYJZG+t91m IUUsNN8dZ3iT75vlTkXgFUwCZ7QpHYN4/iONUMK5yAt/DNacxdQY+E6dGEmZyqfS /k2XwNOsODVrnVHz7rI70jTVju2SnYJHWONbMizX4mdIXuR/t+bJXj/8OeF1U4XE WqovdeYZh3OeCLNrloHHCLAnOM3zC2RZq8eHtkYwtdiuSfFLbKw8U85EfBNftPpc mwT0SVpOGzAsHONAIIxiLgsUxx6B3AcjHrCdemBdt9CKhB6aA2F030fwK4nDUaIs ke/He5Kgg90NPvwPMNmk8S5maPYPuEHq6hbGRaWK+m9WKhNXWPGHgbw+XWpz3qJ6 Ig2lAu5gV8RH26ocUAhsGGUHszcUvwWDXyXx50jRHzyZ7hfqJNuAErz8JAmSu65y k5CxTQFG3C4589AXepCuQoPoXaQB3MQ5xjSw4EUcO1h3bLW7bkmegg8Tbi+LA75p Zg6Om+fM46Op8/Y3LLcRq96ZpqpbFZF30Da5Zf76HejzLeTTWk+kE5KRrlGrSaha 6zHJsJN4utKG64EinTAPBhbEGP65cNjTr2lcF7Ulyco4GxGhfPeStu1M4VXdfE8c QkgKzqj7eji/NpV3I4mkI39rJ7u6BLaiPkCmC5bc2dRU8Tn5RmSbJ9Q1C2VHvNoZ 2LphEkE9+hy0wMMB1B3v =DLZc -----END PGP SIGNATURE----- --cEFFWGwGWqbkEN6BjnjHW3rpEQooRN1Dw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f7856f2cc504efd0449091308a97f339>