[Unbound-users] dnssec stripping not resulting in serv fail?
Paul Wouters
paul at xelerance.com
Mon Jan 10 13:26:15 UTC 2011
On Mon, 10 Jan 2011, W.C.A. Wijngaards wrote:
> What was the query that servfailed?
There was nothing that servfailed, that was the point.
> I can see in the logs that it is
> retrying xelerance.org queries (for A, AAAA and type RRSIG). Because
> type RRSIG cannot be validated, you may have received a reply for that one.
Yes, I digged specifically for xelerance.org
> Could it be that your (Mac?) tried to fail over to another DNS server
no. It was Fedora Linux, resolv.conf not used at all
> even though you did not want that? What you say about resolv.conf makes
> this unlikely, and you did a straight dig @127.0.0.1, I guess.
Yes.
>> I always restarted unbound fully.
>
> Good to know.
>
>> I did capture the logs, mailed to you offlist.
>
> Thanks!
>
> Did you notice these lines:
> remote control failed ssl crypto error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>
> Looks like some garbage connection to the unbound-control port.
I might have made some unbound-control command errors. I don't remember.
> It looks like you have a downstream validator, and this unbound does not
> have a lot of trust anchors?
It just had the root key.
> It has trust anchors, right? I can see
> you editing trust anchor config earlier in the logs.
Yes, I had some syntax errors before i finally had the syntax right :)
> The downstream
> validator seems to make DNSKEY and RRSIG queries. And I see a lot of
> retries (due to DNSSEC failures?).
I guess?
> These logs are confusing, I see they are log level 4 or 5 or so, but
> they are missing stuff (such as the configured trust anchors printout at
> start).
I grepped for "unbound". I'll check the logs and see if some lines do not
contain that string.
Paul
More information about the Unbound-users
mailing list