message is bogus, non secure rrset with Unbound as local caching resolver
Olav Morken
olav.morken at uninett.no
Wed Mar 2 15:42:01 UTC 2016
On Wed, Mar 02, 2016 at 08:45:11 -0500, Casey Deccio wrote:
> On Wed, Mar 2, 2016 at 6:39 AM, Olav Morken via Unbound-users <
> unbound-users at unbound.net> wrote:
>
> > sorry for the rather longwinded email. In the interest of saving some
> > time, here is a short summary:
> >
> >
> Hi Olav,
>
> Would mind trying the DNSViz command-line tool [1] against the resolvers to
> see if anything shows up? After install, run:
>
> dnsviz probe -s x.x.x.x pingapi.paas.uninett.no | dnsviz grok -plwarning
> dnsviz probe -s x.x.x.x pingapi.paas.uninett.no | dnsviz graph -Thtml -O
>
> (substitute x.x.x.x for the BIND and unbound resolvers, in turn)
>
> I'm curious if anything shows up there.
Unfortunately, the BIND server only tends to return responses where the
authority-section has NS-records but no RRSIG-record during the night.
I suspect it has something to do with traffic levels and what other
systems are accessing it. It makes it all a bit hard to troubleshoot.
The main source of information for troubleshooting has been a
combination of PCAP-files and log files.
I have grabbed a capture from the Unbound resolver that I have attached
to this email. If I ever happen to catch the BIND resolver having this
behavior, I'll try to catch the output from it as well, but I won't
make any promises.
The output of `dnsviz -grok -plwarning` only contains:
> Analyzing pingapi.paas.uninett.no
> Analyzing paas.uninett.no
> Analyzing uninett.no
> Analyzing no
> Analyzing .
> Analyzing paas-lb.uninett.no
The HTML output from the DNSViz on the Unbound server is available here:
https://uninett.box.com/s/3uz8fz7055oe788yrf0en3dmx651eyg1
(Changed from an attachment due to size restrictions on the list.)
Best regards,
Olav Morken
UNINETT / Feide
More information about the Unbound-users
mailing list