Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Mar 2016 15:55:10 +0100
From:      Andrea Brancatelli <abrancatelli@schema31.it>
To:        =?UTF-8?Q?Trond_Endrest=C3=B8l?= <Trond.Endrestol@fagskolen.gjovik.no>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Problems with unbound
Message-ID:  <e7b93ecb3ba1e1213033cabe507b4847@schema31.it>
In-Reply-To: <alpine.BSF.2.20.1603151338550.1010@mail.fig.ol.no>
References:  <f7856f2cc504efd0449091308a97f339@schema31.it> <alpine.BSF.2.20.1603151338550.1010@mail.fig.ol.no>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi, the machine is connected "directly enough" (it's in a datacenter) to
safely excude point 1. 

How can I check it with tcpdump or whatever? 

For point 2 I have the same exact problem adding OpenDNS in
forward.conf, so I'd exclude it too. 

I have an interest and funny input tho: the problem happens only when
resolving *.freebsd.org but doesn't happen when I try to resolve, for
example, www.google.com [1]. I already know you won't be believing me
(eheh), so here's a snippet: 

root@dbengine-ent-rm-01:/var/unbound # service local_unbound restart
Stopping local_unbound.
Waiting for PIDS: 52156.
Starting local_unbound. 

root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key 

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
root@dbengine-ent-rm-01:/var/unbound # host www.freebsd.org
;; connection timed out; no servers could be reached
root@dbengine-ent-rm-01:/var/unbound # host www.google.com
www.google.com has address 216.58.212.68
www.google.com has IPv6 address 2a00:1450:4002:809::2004 

root@dbengine-ent-rm-01:/var/unbound # unbound-anchor -l
. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE----- 

######### And then again: 

root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
# auto-trust-anchor-file: /var/unbound/root.key 

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
root@dbengine-ent-rm-01:/var/unbound # service local_unbound restart
Stopping local_unbound.
Waiting for PIDS: 59561.
Starting local_unbound.
root@dbengine-ent-rm-01:/var/unbound # host www.freebsd.org
www.freebsd.org is an alias for wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org has address 8.8.178.110
wfe0.ysv.freebsd.org has IPv6 address 2001:1900:2254:206a::50:0
wfe0.ysv.freebsd.org mail is handled by 0 .
root@dbengine-ent-rm-01:/var/unbound # host www.google.com
www.google.com has address 216.58.212.68
www.google.com has IPv6 address 2a00:1450:4002:809::2004 

Il 2016-03-15 13:42 Trond Endrestøl ha scritto:

> There's at least two possibilities:
> 
> 1. Your ISP limits the use of DNS, in particular when DNSSEC is 
> involved, or
> 
> 2. The Google DNS resolvers doesn't support DNSSEC.
> 
> I haven't verified the latter, but I would guess Google are competent 
> enough to allow DNSSEC.
 

Links:
------
[1] http://www.google.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e7b93ecb3ba1e1213033cabe507b4847>