From owner-freebsd-stable@freebsd.org Tue Mar 15 16:03:30 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 560CDAD010E for ; Tue, 15 Mar 2016 16:03:30 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from titanio.pomona.schema31.it (host156-63-static.77-62-b.business.telecomitalia.it [62.77.63.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "titanio.pomona.schema31.it", Issuer "titanio.pomona.schema31.it" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EEAE7118C for ; Tue, 15 Mar 2016 16:03:29 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from smtp.schema31.it (localhost [127.0.0.1]) by titanio.pomona.schema31.it (8.14.7/8.14.7) with ESMTP id u2FEtAXV090649; Tue, 15 Mar 2016 15:55:10 +0100 (CET) (envelope-from abrancatelli@schema31.it) MIME-Version: 1.0 Date: Tue, 15 Mar 2016 15:55:10 +0100 From: Andrea Brancatelli To: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Cc: freebsd-stable@freebsd.org Subject: Re: Problems with unbound Organization: Schema31 s.r.l. In-Reply-To: References: Message-ID: X-Sender: abrancatelli@schema31.it User-Agent: Roundcube Webmail/1.1.4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2016 16:03:30 -0000 Hi, the machine is connected "directly enough" (it's in a datacenter) to safely excude point 1. How can I check it with tcpdump or whatever? For point 2 I have the same exact problem adding OpenDNS in forward.conf, so I'd exclude it too. I have an interest and funny input tho: the problem happens only when resolving *.freebsd.org but doesn't happen when I try to resolve, for example, www.google.com [1]. I already know you won't be believing me (eheh), so here's a snippet: root@dbengine-ent-rm-01:/var/unbound # service local_unbound restart Stopping local_unbound. Waiting for PIDS: 52156. Starting local_unbound. root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf root@dbengine-ent-rm-01:/var/unbound # host www.freebsd.org ;; connection timed out; no servers could be reached root@dbengine-ent-rm-01:/var/unbound # host www.google.com www.google.com has address 216.58.212.68 www.google.com has IPv6 address 2a00:1450:4002:809::2004 root@dbengine-ent-rm-01:/var/unbound # unbound-anchor -l . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD 2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h 15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- ######### And then again: root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid # auto-trust-anchor-file: /var/unbound/root.key include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf root@dbengine-ent-rm-01:/var/unbound # service local_unbound restart Stopping local_unbound. Waiting for PIDS: 59561. Starting local_unbound. root@dbengine-ent-rm-01:/var/unbound # host www.freebsd.org www.freebsd.org is an alias for wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org has address 8.8.178.110 wfe0.ysv.freebsd.org has IPv6 address 2001:1900:2254:206a::50:0 wfe0.ysv.freebsd.org mail is handled by 0 . root@dbengine-ent-rm-01:/var/unbound # host www.google.com www.google.com has address 216.58.212.68 www.google.com has IPv6 address 2a00:1450:4002:809::2004 Il 2016-03-15 13:42 Trond Endrestøl ha scritto: > There's at least two possibilities: > > 1. Your ISP limits the use of DNS, in particular when DNSSEC is > involved, or > > 2. The Google DNS resolvers doesn't support DNSSEC. > > I haven't verified the latter, but I would guess Google are competent > enough to allow DNSSEC. Links: ------ [1] http://www.google.com