[Unbound-users] Issue Resolving "packagist.org"

Paul Niemi paul.niemi at tbaytel.com
Wed Jan 7 15:16:51 UTC 2015


One of my co-workers had also, noticed inconsistencies with this domain
(SOA serial #'s).  We are still unable to resolve "pakagist.org" with
DNSSEC enabled, and yet you are able.  Perhaps something is different or
missing with our configuration (see below), or it has to do with differing
geographic locations, resulting in a different query path?

Our configuration:

        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        verbosity: 1
        extended-statistics: yes
        interface: X.X.X.X
        interface: Y.Y.Y.Y
        outgoing-interface: X.X.X.X
        do-ip6: yes

"access-control" lines

        logfile: "/etc/unbound/log/unbound.log"
        use-syslog: no
        log-time-ascii: yes
        log-queries: yes
        root-hints: "/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes

"local-zone/local-data" lines
 "stub-zones" lines
"remote-control" lines

Thank you,


On Tue, Jan 6, 2015 at 4:47 PM, Casey Deccio <casey at deccio.net> wrote:

> On Tue, Jan 6, 2015 at 4:10 PM, Paul Niemi <paul.niemi at tbaytel.com> wrote:
>> Hello,
>> We are an ISP, and experiencing an issue looking up "packagist.org",
>> with unbound version 1.4.17 on Debian linux  When we have DNSSEC enabled
>> (our normal configuration), and make a query for "packagist.org", we get
>> a reply that it does not exist (NXDOMAIN).  If we disable the DNSSEC, by
>> commenting the "auto-trust-anchor-file" line in the config, then the query
>> is successful.  We tried turning up the logging verbosity, but we am not
>> sure what all is going on in the log.  Does anyone have any insight into
>> what is going on here, or what I should be looking for in the log?  We have
>> tried against some other open DNS servers (Google, OpenDNS) and the query
>> is successful there, as well.  It just seems to be our unbound DNS server
>> with DNSSEC enabled, that fails.
> Hi Paul,
> FWIW, I am unable to reproduce the NXDOMAIN on my own instance of unbound
> of the same version and platform:
> $ dig +dnssec +noall +answer @localhost packagist.org
> packagist.org.        42979    IN    A
> packagist.org.        42979    IN    RRSIG    A 7 2 43200 20150127124709
> 20141228124709 36677 packagist.org.
> DsdSPygfMm2q0m6bq2Sk/atUQ4qhjh0A/HcjRBU1N5c7pMpTGA23cC7m
> pqZXqnCvaZoklh/sP54ImZHM62S5vLLF4hpceXMxIvPhzNQOqQIbveA6
> DiiANUA7vVgpxuliAG95OCwKMxqf5u182R5KV6+Q1Wuufo5JKzKfbgJS 8eI=
> That being said, the domain has (at least) some issues with consistency
> across anycast instances.  ns200 shows two different serials from two
> different locations:
> client1$ dig +dnssec +noall +answer @ns200.anycast.me packagist.org soa |
> awk '$4 ~ /SOA/ { print $7 }'
> 2014122801
> client2$ dig +dnssec +noall +answer @ns200.anycast.me packagist.org soa |
> awk '$4 ~ /SOA/ { print $7 }'
> 2014122800
> Likewise, ns200 returns RRSIGs from one location, and not from the other.
> client1$ dig +dnssec @ns200.anycast.me packagist.org mx | grep RRSIG | wc
> -l
> 1
> client2$ dig +dnssec @ns200.anycast.me packagist.org mx | grep RRSIG | wc
> -l
> 0
> DNSViz sees this too:
> http://dnsviz.net/d/packagist.org/VKxTjA/dnssec/
> Regards,
> Casey

*Paul Niemi, B.Sc., B.Eng.* | Networks and Servers Technician
*Tbaytel *| 241 S. Vickers Street | Thunder Bay, Ontario | P7E 1J5
Tel: (807) 625-3043


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this email. Please notify the sender 
immediately by e-mail if you have received this email by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20150107/ed5e0679/attachment.htm>

More information about the Unbound-users mailing list