[Unbound-users] unbound has info, but does not answer it
Over Dexia
over at dexia.de
Tue Aug 20 12:50:24 UTC 2013
Am 20.08.2013 14:20, schrieb W.C.A. Wijngaards:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Over,
>
> So the replies from maradns are fine, but then you have DNSSEC
> validation enabled. But DNSSEC replies do not make it from the
> internet to you.
>
> This bit:
>> servselect ip4 195.243.137.26 port 53 (len 16) Aug 19 15:36:09
>> unbound[8442:0] debug: rtt=48128 Aug 19 15:36:09 unbound[8442:0]
>> debug: selrtt 48128 Aug 19 15:36:09 unbound[8442:0] info: sending
>> query: de. DNSKEY IN
>
> So, queries for the root DNSKEY, .de DNSKEY all time out. Probably,
> you have a firewall that blocks DNS traffic bigger then 512. Fix the
> firewall or router.
>
> Or, you somehow drop all traffic with EDNS0 in it. The firewall
> deep-inspects and drops DNS traffic with EDNS0 extensions (needed for
> DNSSEC).
This is very important info, thanks.
> Another option is to disable dnssec validation. But it is better to
> fix your network firewalls, routers or other filtering, that drops
> DNSSEC answers (such as the de DNSKEY).
>
> Yet another option is to configure unbound to advertise an EDNS size
> of 512.
Since I need the unbound to serve information (gathered from internal
servers) even when the internet is unavailable, I probably have to
disable DNSSEC.
This solved my problem. Thanks a lot for your help and best regards, jo
More information about the Unbound-users
mailing list