[Unbound-users] Unbound stop working without error-log
wouter at NLnetLabs.nl
Wed Nov 3 08:42:30 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 11/03/2010 09:07 AM, lst_hoe02 at kwsoft.de wrote:
> It seems more that unbound and bind disagree in their opinion if the
> signature is expired or not. As said the time unbound starts failing the
> same queries done directly to the upstream resolve *and* validate fine.
> So the options are:
That is strange. Your clocks are synchronised, so that is not it.
Could it have been the recent daylight-savings change somehow?
Both bind and unbound may have some leeway for expired signatures that
you can configure; val-sig-skew-max and val-sig-skew-min config options
> - Bind does not send the same data it is using for validation to the
> downtsream (unbound) client. Would be a Bind bug i guess.
Try doing a dig @<bind> name +dnssec and then with +dnssec +cdflag. If
that is different, then this is happening.
> - Unbound and Bind do validation different (should not happen IMHO)
> - Validation in Unbound for some cases is broken. Would be a bug in
> Unbound i guess.
Well, when unbound refuses to validate it, enable val-log-level: 2, and
take a look in the log file, it gives a detailed error. Then dig
+dnssec and dig +dnssec +cdflag when it mentions (also to the unbound so
see what is in the cache, and also at the IP address it mentions).
If you enable val-log-level: 2 (and you can have verbosity low), it
gives one line per validation failure. This is a (relatively) low
amount of logging, but very useful, as it tells you why exactly unbound
failed the query.
> It would be nice to get help how to debug this as DNSSEC "by-hand" is
> somewhat challenging.
This is pretty easy, the RRSIG notes ....
RRSIG bla bla expiration inception bla bla.
They are in yyyymmddhhmmss format UTC.
Most signers leave a couple weeks headroom in the expiration date.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users