<div dir="ltr"><div>Hello,<br><br></div><div>One of my co-workers had also, noticed inconsistencies with this domain (SOA serial #'s). We are still unable to resolve "<a href="http://pakagist.org" target="_blank">pakagist.org</a>" with DNSSEC enabled, and yet you are able. Perhaps something is different or missing with our configuration (see below), or it has to do with differing geographic locations, resulting in a different query path?<br><br></div><div>Our configuration:<br><br> auto-trust-anchor-file: "/var/lib/unbound/root.key"<br> verbosity: 1<br> extended-statistics: yes<br> interface: X.X.X.X<br> interface: Y.Y.Y.Y <br> outgoing-interface: X.X.X.X<br></div><div> do-ip6: yes<br></div><div><br></div><div>"access-control" lines<br></div><div><br> logfile: "/etc/unbound/log/unbound.log"<br> use-syslog: no<br> log-time-ascii: yes<br> log-queries: yes<br> root-hints: "/etc/unbound/named.cache"<br> hide-identity: yes<br> hide-version: yes<br><br>"local-zone/local-data" lines<br> "stub-zones" lines<br>"remote-control" lines<br><br><br></div><div>Thank you,<br><br>Paul<br></div><div><br><br><br><br><br><br><br><br><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 6, 2015 at 4:47 PM, Casey Deccio <span dir="ltr"><<a href="mailto:casey@deccio.net" target="_blank">casey@deccio.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 6, 2015 at 4:10 PM, Paul Niemi <span dir="ltr"><<a href="mailto:paul.niemi@tbaytel.com" target="_blank">paul.niemi@tbaytel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Hello,<br><br></div>We are an ISP, and experiencing an issue looking up "<a href="http://packagist.org" target="_blank">packagist.org</a>", with unbound version 1.4.17 on Debian linux When we have DNSSEC enabled (our normal configuration), and make a query for "<a href="http://packagist.org" target="_blank">packagist.org</a>", we get a reply that it does not exist (NXDOMAIN). If we disable the DNSSEC, by commenting the "auto-trust-anchor-file" line in the config, then the query is successful. We tried turning up the logging verbosity, but we am not sure what all is going on in the log. Does anyone have any insight into what is going on here, or what I should be looking for in the log? We have tried against some other open DNS servers (Google, OpenDNS) and the query is successful there, as well. It just seems to be our unbound DNS server with DNSSEC enabled, that fails.<br></div></div></blockquote><div><br></div><div>Hi Paul,<br><br></div><div>FWIW, I am unable to reproduce the NXDOMAIN on my own instance of unbound of the same version and platform:<br><br>$ dig +dnssec +noall +answer @localhost <a href="http://packagist.org" target="_blank">packagist.org</a><br><a href="http://packagist.org" target="_blank">packagist.org</a>. 42979 IN A 87.98.253.214<br><a href="http://packagist.org" target="_blank">packagist.org</a>. 42979 IN RRSIG A 7 2 43200 20150127124709 20141228124709 36677 <a href="http://packagist.org" target="_blank">packagist.org</a>. DsdSPygfMm2q0m6bq2Sk/atUQ4qhjh0A/HcjRBU1N5c7pMpTGA23cC7m pqZXqnCvaZoklh/sP54ImZHM62S5vLLF4hpceXMxIvPhzNQOqQIbveA6 DiiANUA7vVgpxuliAG95OCwKMxqf5u182R5KV6+Q1Wuufo5JKzKfbgJS 8eI=<br></div><div><br><br>That being said, the domain has (at least) some issues with consistency across anycast instances. ns200 shows two different serials from two different locations:<br><br>client1$ dig +dnssec +noall +answer @<a href="http://ns200.anycast.me" target="_blank">ns200.anycast.me</a> <a href="http://packagist.org" target="_blank">packagist.org</a> soa | awk '$4 ~ /SOA/ { print $7 }'<br>2014122801<br></div><div>client2$ dig +dnssec +noall +answer @<a href="http://ns200.anycast.me" target="_blank">ns200.anycast.me</a> <a href="http://packagist.org" target="_blank">packagist.org</a> soa | awk '$4 ~ /SOA/ { print $7 }'<br>2014122800<br><br></div><div>Likewise, ns200 returns RRSIGs from one location, and not from the other.<br></div><div><br>client1$ dig +dnssec @<a href="http://ns200.anycast.me" target="_blank">ns200.anycast.me</a> <a href="http://packagist.org" target="_blank">packagist.org</a> mx | grep RRSIG | wc -l<br>1<br>client2$ dig +dnssec @<a href="http://ns200.anycast.me" target="_blank">ns200.anycast.me</a> <a href="http://packagist.org" target="_blank">packagist.org</a> mx | grep RRSIG | wc -l<br>0<br><br>DNSViz sees this too:<br></div><div><a href="http://dnsviz.net/d/packagist.org/VKxTjA/dnssec/" target="_blank">http://dnsviz.net/d/packagist.org/VKxTjA/dnssec/</a><br><br></div><div>Regards,<br>Casey<br></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><span style="color:rgb(0,104,144);line-height:18px;font-size:13px"><span style="color:rgb(0,104,144);font-size:10pt"><b>Paul Niemi, B.Sc., B.Eng.</b> | Networks and Servers Technician<br><b>Tbaytel </b>| 241 S. Vickers Street | Thunder Bay, Ontario | P7E 1J5<br>Tel: (807) 625-3043<br><a style="color:rgb(17,116,165);text-decoration:none" href="https://anywhere.exchserver.com/owa/redir.aspx?C=470ce06163a045ee9da8a0bc65439d0c&ur" target="_blank"><span style="color:rgb(0,104,144)">www.tbaytel.net</span></a></span></span></div></div>
</div>
<br>
<div><br></div><div><span style="font-family:'Courier New';font-size:small">This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this email by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</span></div>