[Unbound-users] unbound has info, but does not answer it

Over Dexia over at dexia.de
Tue Aug 20 12:50:24 UTC 2013

Am 20.08.2013 14:20, schrieb W.C.A. Wijngaards:
> Hash: SHA1
> Hi Over,
> So the replies from maradns are fine, but then you have DNSSEC
> validation enabled.  But DNSSEC replies do not make it from the
> internet to you.
> This bit:
>> servselect ip4 port 53 (len 16) Aug 19 15:36:09
>> unbound[8442:0] debug:    rtt=48128 Aug 19 15:36:09 unbound[8442:0]
>> debug: selrtt 48128 Aug 19 15:36:09 unbound[8442:0] info: sending
>> query: de. DNSKEY IN
> So, queries for the root DNSKEY, .de DNSKEY all time out.  Probably,
> you have a firewall that blocks DNS traffic bigger then 512.  Fix the
> firewall or router.
> Or, you somehow drop all traffic with EDNS0 in it.  The firewall
> deep-inspects and drops DNS traffic with EDNS0 extensions (needed for

This is very important info, thanks.

> Another option is to disable dnssec validation.  But it is better to
> fix your network firewalls, routers or other filtering, that drops
> DNSSEC answers (such as the de DNSKEY).
> Yet another option is to configure unbound to advertise an EDNS size
> of 512.

Since I need the unbound to serve information (gathered from internal 
servers) even when the internet is unavailable, I probably have to 
disable DNSSEC.

This solved my problem. Thanks a lot for your help and best regards, jo

More information about the Unbound-users mailing list