obtaining a trust-anchor takes very long
rainer at ultra-secure.de
rainer at ultra-secure.de
Mon Mar 27 08:56:44 UTC 2017
Hi,
I have unbound 1.6.0 (package, not the included one) on FreeBSD 11
(amd64) in a setup where it forwards its queries to a number of upstream
cache servers (also unbound).
Fetching the "anchor" takes 50-ish seconds each time it's restarted.
(slave <unbound>) 0 # time service unbound restart
Stopping unbound.
Obtaining a trust anchor:.
Starting unbound.
service unbound restart 0.03s user 0.02s system 0% cpu 52.246 total
From the ktrace output, I see that it tries to contact the root-servers.
This does not make sense as only access to said upstream cache servers
is possible.
These forwarders are configured in an include file of unbound.conf and
used for normal lookups but not for the trust-anchor setup, it seems.
How is this supposed to work?
Additionally, unbound-anchor seems to use the first IP on the interface
it finds to bind to for outgoing queries - even though a different one
is configured in unbound.conf. This doesn't look "right" to me but in
this case I just swapped the IPs so that the one unbound uses is the
first one.
More information about the Unbound-users
mailing list