[Dnssec-trigger] Why Does unbound Fail on So Many Requests?
Garry T. Williams
gtwilliams at gmail.com
Sat Apr 19 23:22:53 UTC 2014
I recently installed dnssec-triggerd in Fedora 20 after following a
long thread about default local DNS caching servers.
Well, it mostly just works as advertised, but I see a lot of these in
the system log:
unbound[773]: [773:1] info: validation failure t6021.network-dns-unbound-user.dnstalk.us.dlv.isc.org. DLV IN
unbound[773]: [773:0] info: validation failure natenom.name.dlv.isc.org. DLV IN
unbound[773]: [773:0] info: validation failure platform.twitter.com.dlv.isc.org. DLV IN
Sometimes the error later disappears. Sometimes it persists. For
example, I just did this one where the error persists:
garry at vfr$ dnssec-trigger-control status
at 2014-04-19 18:31:30
http fedoraproject.org (209.132.181.16): OK
cache 65.68.49.50: OK
cache 205.152.150.23: OK
cache 205.152.37.23: OK
state: cache secure
garry at vfr$ dig +dnssec t6021.network-dns-unbound-user.dnstalk.us @127.0.0.1
; <<>> DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20 <<>> +dnssec t6021.network-dns-unbound-user.dnstalk.us @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56300
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;t6021.network-dns-unbound-user.dnstalk.us. IN A
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 19 19:09:04 EDT 2014
;; MSG SIZE rcvd: 70
garry at vfr$ dig +dnssec t6021.network-dns-unbound-user.dnstalk.us @65.68.49.50
; <<>> DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20 <<>> +dnssec t6021.network-dns-unbound-user.dnstalk.us @65.68.49.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 15
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;t6021.network-dns-unbound-user.dnstalk.us. IN A
;; ANSWER SECTION:
t6021.network-dns-unbound-user.dnstalk.us. 60 IN A 144.76.84.155
;; AUTHORITY SECTION:
dnstalk.us. 6304 IN NS DNS4.REGISTRAR-SERVERS.COM.
dnstalk.us. 6304 IN NS DNS2.REGISTRAR-SERVERS.COM.
dnstalk.us. 6304 IN NS DNS3.REGISTRAR-SERVERS.COM.
dnstalk.us. 6304 IN NS DNS5.REGISTRAR-SERVERS.COM.
dnstalk.us. 6304 IN NS DNS1.REGISTRAR-SERVERS.COM.
;; ADDITIONAL SECTION:
DNS1.REGISTRAR-SERVERS.COM. 169361 IN A 173.245.59.40
DNS1.REGISTRAR-SERVERS.COM. 169361 IN A 173.245.58.17
DNS1.REGISTRAR-SERVERS.COM. 169361 IN A 173.245.58.45
DNS1.REGISTRAR-SERVERS.COM. 169361 IN A 173.245.59.16
DNS2.REGISTRAR-SERVERS.COM. 169361 IN A 208.64.122.242
DNS2.REGISTRAR-SERVERS.COM. 169361 IN A 208.64.122.244
DNS3.REGISTRAR-SERVERS.COM. 169361 IN A 69.197.21.28
DNS3.REGISTRAR-SERVERS.COM. 169361 IN A 69.197.21.29
DNS4.REGISTRAR-SERVERS.COM. 274 IN A 173.245.58.45
DNS4.REGISTRAR-SERVERS.COM. 274 IN A 173.245.59.16
DNS4.REGISTRAR-SERVERS.COM. 274 IN A 173.245.59.40
DNS4.REGISTRAR-SERVERS.COM. 274 IN A 173.245.58.17
DNS5.REGISTRAR-SERVERS.COM. 274 IN A 208.64.122.242
DNS5.REGISTRAR-SERVERS.COM. 274 IN A 208.64.122.244
;; Query time: 84 msec
;; SERVER: 65.68.49.50#53(65.68.49.50)
;; WHEN: Sat Apr 19 19:09:35 EDT 2014
;; MSG SIZE rcvd: 426
garry at vfr$
>From a user point of view, I see that part of the Internet is broken
after installing this setup.
What is going on here?
--
Garry T. Williams
More information about the dnssec-trigger
mailing list