Unbound and DNSSEC behavior with loss of internet reachability
Darren S.
phatbuckett at gmail.com
Sat Sep 1 20:16:50 UTC 2018
Looking into issues like discussed at
https://nlnetlabs.nl/pipermail/unbound-users/2012-July/007859.html.
I had an issue where ISP outage resulted in loss of internet
connectivity. Unbound cache on LAN is configured to do DNSSEC
validation.
auto-trust-anchor-file: "/var/unbound/db/root.key"
After the outage began, unbound failed in a way that I found
unexpected. In addition to failures to resolve external DNS names,
names served from internal NSD nameservers were also failing. Unbound
is configured with a number of stub zones pointing to 127.0.0.1 for a
local NSD, and I assume should have been able to resolve names in
internal zones.
stub-zone:
name: "lan.sancho2k.net"
stub-addr: 127.0.0.1 at 8053
But the issues prevented any resolution from succeeding, external as
well as internal zones.
Sep 1 01:27:32 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 01:28:35 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 01:29:47 molodetz unbound: [7552:0] error: Could not generate
request: out of memory
Sep 1 01:29:47 molodetz unbound: [7552:0] error: mem error generating
DS request
Sep 1 01:29:52 molodetz unbound: [7552:0] error: Could not generate
request: out of memory
Sep 1 01:29:52 molodetz unbound: [7552:0] error: mem error generating
DS request
Sep 1 01:30:51 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 01:44:08 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 02:14:18 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 02:29:24 molodetz unbound: [7552:0] error: module cannot wait
for subquery, subquery list empty
Sep 1 02:42:12 molodetz unbound: [7552:0] error: Could not generate
request: out of memory
Sep 1 02:42:12 molodetz unbound: [7552:0] error: mem error generating
DNSKEY request
Sep 1 04:47:38 molodetz unbound: [7552:0] info: failed to prime trust
anchor -- could not fetch DNSKEY rrset . DNSKEY IN
Sep 1 04:59:38 molodetz unbound: [7552:0] error: Could not prime
trust anchor: out of memory
At first blush the out of memory errors I thought suggested resource
limits being hit. But immediately after restarting the server the
issue persisted. Resolution occurred when internet connectivity was
restored.
This left me with a couple of questions:
1. Are the "out of memory" and related errors sensible for the
conditions occurring? e.g. is a connectivity failure known to relate
to a resource leak, or is it misleading?
2. Is DNSSEC validation being enabled directly related to the issue encountered?
Unbound 1.6.8 on OpenBSD 6.3 amd64
--
Darren Spruell
phatbuckett at gmail.com
More information about the Unbound-users
mailing list