Domain not being resolved?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Apr 18 10:10:08 UTC 2018 

Hi Søren,

On 18/04/18 11:54, Søren Peter Skou via Unbound-users wrote:
> Hiya all,
> 
>  
> 
> This perplexes me a bit. My unbound seems to have taken a dislike
> towards a couple of domains. Specificially frederiksberg.dk and fkb.dk
> and the tld .ke If I try doing a dig ns frederiksberg.dk  and equivalent
> for fkb.dk – I simply get a SERVFAIL. Initially I thought it might be
> something related to DNSSEC, but
> https://dnssec-debugger.verisignlabs.com states all green for both
> domains. Now, neither of the domains are mine, I still need to resolve
> them 😊And google can resolve this just fine.

It works fine for me with unbound; I see no problems with validation
either.  Perhaps you could enable verbosity, say at level 4, and see
what the output is.  It then prints out the 'dig-style' outputs of all
the packets retrieved.  And then you can see at what point it concludes
SERVFAIL, for example by searching the output for the keyword servfail.

If you had a validation failure your val-log-level: 2 would have already
printed that as a report to your logs.

Best regards, Wouter

> 
>  
> 
> Example failing for fkb.dk:
> 
> -bash-4.2$ dig ns fkb.dk @62.61.130.1
> 
>  
> 
> ; <<>> DiG 9.10.4-P3 <<>> ns fkb.dk @62.61.130.1
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50361
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
>  
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;fkb.dk.                                IN      NS
> 
>  
> 
> ;; Query time: 82 msec
> 
> ;; SERVER: 62.61.130.1#53(62.61.130.1)
> 
> ;; WHEN: Wed Apr 18 11:39:06 CEST 2018
> 
> ;; MSG SIZE  rcvd: 35
> 
>  
> 
> Same result for both, however if I ask cloudflare, google or a Bind
> recursive server – I get a the result I expect.
> 
>  
> 
> -bash-4.2$ dig ns fkb.dk @62.61.136.249
> 
>  
> 
> ; <<>> DiG 9.10.4-P3 <<>> ns fkb.dk @62.61.136.249
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23239
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
> 
>  
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;fkb.dk.                                IN      NS
> 
>  
> 
> ;; ANSWER SECTION:
> 
> fkb.dk.                 86400   IN      NS      ns3.prodns.net.
> 
> fkb.dk.                 86400   IN      NS      ns1.prodns.net.
> 
> fkb.dk.                 86400   IN      NS      ns9.prodns.net.
> 
> fkb.dk.                 86400   IN      NS      ns2.prodns.net.
> 
> fkb.dk.                 86400   IN      NS      ns4.prodns.net.
> 
>  
> 
> ;; ADDITIONAL SECTION:
> 
> ns9.prodns.net.         95119   IN      A       74.116.176.8
> 
> ns9.prodns.net.         8719    IN      AAAA    2001:678:5::8
> 
>  
> 
> ;; Query time: 66 msec
> 
> ;; SERVER: 62.61.136.249#53(62.61.136.249)
> 
> ;; WHEN: Wed Apr 18 11:41:50 CEST 2018
> 
> ;; MSG SIZE  rcvd: 179
> 
>  
> 
> Same goes for google (8.8.8.8) and cloudflare (1.1.1.1).
> 
>  
> 
>  
> 
> Configuration is as follows:
> 
> server:
> 
>         auto-trust-anchor-file: "/usr/pkg/etc/unbound/root.key"
> 
>         verbosity: 1
> 
>         do-ip4: yes
> 
>         do-ip6: yes
> 
>         do-udp: yes
> 
>         do-tcp: yes
> 
>  
> 
>         interface: 62.61.130.1
> 
>         port: 53
> 
>         statistics-interval: 60
> 
>         extended-statistics: yes
> 
>         statistics-cumulative: yes
> 
>         root-hints: "/usr/pkg/etc/unbound/root.hints"
> 
>         hide-identity: no
> 
>         hide-version: yes
> 
>         use-caps-for-id: no
> 
>         harden-glue: yes
> 
>         harden-dnssec-stripped: yes
> 
>         cache-min-ttl: 3600
> 
>         cache-max-ttl: 86400
> 
>         prefetch: yes
> 
>         num-threads: 4
> 
>         msg-cache-slabs: 8
> 
>         rrset-cache-slabs: 8
> 
>         infra-cache-slabs: 8
> 
>         key-cache-slabs: 8
> 
>         outgoing-range: 950
> 
>         num-queries-per-thread: 512
> 
>         rrset-cache-size: 256m
> 
>         msg-cache-size: 128m
> 
>         so-rcvbuf: 204k
> 
>         so-sndbuf: 204k
> 
>         unwanted-reply-threshold: 10000
> 
>         val-clean-additional: no
> 
>         val-log-level: 2
> 
>  
> 
>  
> 
> I may be overlooking something extremely obvious, however I cannot see
> what that might be.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180418/76b17c77/attachment.bin>

More information about the Unbound-users mailing list