[Unbound-users] Problem to resolve domains from a certain registrar
Lst_hoe02 at kwsoft.de
Lst_hoe02 at kwsoft.de
Thu Aug 25 12:21:45 UTC 2011
Zitat von Leo Bush <leo.bush at mylife.lu>:
>
> On 24/08/2011 13:47, Lst_hoe02 at kwsoft.de wrote:
>>
>> Looks for me like EDNS problem. At least some part of the .be zone
>> is DNSSEC signed an the replies get bigger than 512 Byte like with
>> "dig x.dns.be A +dnssec". Bind has a feature to reduce the EDNS
>> size in case of trouble, not sure if Unbound does the same. What
>> you should check:
>> - Do the trouble domain/names resolve with unbound if you use
>> checking disabled (+cdflag)
>> - Do you have any firewall device in front of your resolvers maybe
>> some Cisco inspecting DNS traffic
>> - Do you have disabled Unbound tcp
>>
>> For some hints on the problem have a look here:
>> https://www.dns-oarc.net/oarc/services/replysizetest
>>
>> Regards
>>
>> Andreas
>
> Hi,
>
> Thank you for helping my case. Here are my answers.
> - I have no firewall or other device inspecting the traffic in front
> of the box, only packet filtering with iptables.
> - In the config file I have:
> # Enable TCP, "yes" or "no".
> # do-tcp: yes
> # edns-buffer-size: 4096
> So I assume that by default tcp is enabled.
>
>
> Following your suggestions I tried
>
> (initial settings)
> # dig leos.leonidas.be @resolv1 +cdflag
>
> ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leoS.leonidas.be. IN A
>
> ;; Query time: 14 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:35:38 2011
> ;; MSG SIZE rcvd: 34
>
>
>
> (initial settings)
> # dig leos.leonidas.be @resolv1 +cdflag +tcp
>
> ; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be. IN A
>
> ;; Query time: 9 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:35:53 2011
> ;; MSG SIZE rcvd: 34
>
>
>
> (initial settings)
> # dig @resolv1 rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net. IN TXT
>
> ;; ANSWER SECTION:
> rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
> rst.x3827.rs.dns-oarc.net. 59 IN CNAME
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101
> DNS reply size limit is at least 3843"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101
> sent EDNS buffer size 4096"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at
> 2011-08-24 12:38:52 UTC"
>
> ;; AUTHORITY SECTION:
> x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
> ns00.x3843.x3837.x3827.rs.dns-oarc.net.
>
> ;; ADDITIONAL SECTION:
> ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
>
> ;; Query time: 5972 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 14:38:52 2011
> ;; MSG SIZE rcvd: 307
>
>
>
> Then I changed the following two settings:
> do-tcp: yes
> edns-buffer-size: 512
>
> I restarted the unbound daemon. I find immediately the following
> messages in the log:
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error
> generating DNSKEY request
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
> request: out of memory
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error
> generating DNSKEY request
> Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate
> request: out of memory
This doesn't look good anyway. Are you low on memeory? What are the
other unbound settings look like?
> I repeated my tests from before:
>
> # dig @resolv1 leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
> 1 minute later
>
> # dig @resolv1 leos.leonidas.be +nodnssec
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be. IN A
>
> ;; ANSWER SECTION:
> leos.leonidas.be. 3600 IN A 81.246.74.153
>
> ;; Query time: 56 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:46:49 2011
> ;; MSG SIZE rcvd: 50
>
> # dig @resolv1 leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be. IN A
>
> ;; ANSWER SECTION:
> leos.leonidas.be. 2834 IN A 81.246.74.153
>
> ;; Query time: 5 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:59:35 2011
> ;; MSG SIZE rcvd: 50
>
>
>
> # dig @resolv1 leos.leonidas.be +dnssec
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;leos.leonidas.be. IN A
>
> ;; ANSWER SECTION:
> leos.leonidas.be. 2825 IN A 81.246.74.153
>
> ;; Query time: 16 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 15:59:44 2011
> ;; MSG SIZE rcvd: 61
>
>
>
> # dig @resolv1 rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options: printcmd
> ;; connection timed out; no servers could be reached
>
>
>
> As in the meantime my cacti monitoring signals me lots of Dropped
> packets, and as the reaction of the server seems slower to me
> (subjective feeling), I put back the initial settings.
>
> # dig @resolv1 leos.leonidas.be
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;leos.leonidas.be. IN A
>
> ;; Query time: 10 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 16:06:58 2011
> ;; MSG SIZE rcvd: 34
>
>
> # dig @resolv1 rs.dns-oarc.net txt
>
> ; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
> ; (2 servers found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;rs.dns-oarc.net. IN TXT
>
> ;; ANSWER SECTION:
> rs.dns-oarc.net. 60 IN CNAME rst.x3827.rs.dns-oarc.net.
> rst.x3827.rs.dns-oarc.net. 59 IN CNAME
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net. 58 IN CNAME
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply
> size limit is at least 3843"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS
> buffer size 4096"
> rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at
> 2011-08-24 14:07:15 UTC"
>
> ;; AUTHORITY SECTION:
> x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS
> ns00.x3843.x3837.x3827.rs.dns-oarc.net.
>
> ;; ADDITIONAL SECTION:
> ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136
>
> ;; Query time: 1073 msec
> ;; SERVER: xxxxx#53(xxxxx)
> ;; WHEN: Wed Aug 24 16:07:15 2011
> ;; MSG SIZE rcvd: 307
>
There lately was an issue with priming the root with DNSSEC last very
long in some cases...
What are the settings for your trusted keys and do you use IPv6?
Regards
Andreas
More information about the Unbound-users
mailing list