unbound fails to do reverse look ups
Carlo Wood
carlo at alinoe.com
Fri Oct 17 19:09:29 UTC 2025
Hi, after two days of investigations I'm feeling a bit desperate...
I install unbound to be used by postfix, which does reverse
lookups of hostnames and started to reject all email because
unbound can't do that, it seems.
Using my normal resolver:
>dig google.com | grep '^google.com'
google.com. 2400 IN A 142.251.36.46
>dig -x 142.251.36.46 | grep '^46'
46.36.251.142.in-addr.arpa. 61312 IN PTR ams17s12-in-f14.1e100.net.
I have unbound listening on 127.25.0.53:
>dig -x 142.251.36.46 @127.25.0.53
;; communications error to 127.25.0.53#53: timed out
;; communications error to 127.25.0.53#53: timed out
;; communications error to 127.25.0.53#53: timed out
; <<>> DiG 9.20.13 <<>> -x 142.251.36.46 @127.25.0.53
;; global options: +cmd
;; no servers could be reached
Logs of unbound during this:
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] query: 127.0.0.1 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 199.180.182.53#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving x.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving z.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <142.in-addr.arpa.> 192.82.134.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.> 192.54.112.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.> 192.55.83.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <com.> 192.33.14.30#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was REFERRAL
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns3.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <google.com.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns2.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <google.com.> 216.239.34.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns4.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <google.com.> 216.239.34.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <251.142.in-addr.arpa.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was nodata ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving ns1.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for ns1.google.com. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <google.com.> 216.239.38.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <251.142.in-addr.arpa.> 216.239.36.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was nodata ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for z.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <arin.net.> 199.212.0.108#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for x.arin.net. A IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <arin.net.> 199.212.0.108#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <251.142.in-addr.arpa.> 216.239.38.10#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was ANSWER
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: resolving _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: response for _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 199.253.183.183#53
Oct 17 20:56:57 daniel unbound[199121]: [199121:0] info: query response was NXDOMAIN ANSWER
Oct 17 20:57:02 daniel unbound[199121]: [199121:0] query: 127.0.0.1 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: resolving _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: response for _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 200.10.60.53#53
Oct 17 20:57:04 daniel unbound[199121]: [199121:0] info: query response was NXDOMAIN ANSWER
Oct 17 20:57:07 daniel unbound[199121]: [199121:0] query: 127.0.0.1 46.36.251.142.in-addr.arpa. PTR IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: resolving _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: response for _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 193.0.9.1#53
Oct 17 20:57:11 daniel unbound[199121]: [199121:0] info: query response was NXDOMAIN ANSWER
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: resolving _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: response for _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 199.180.182.53#53
Oct 17 20:57:18 daniel unbound[199121]: [199121:0] info: query response was NXDOMAIN ANSWER
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: resolving _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: response for _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: reply from <in-addr.arpa.> 196.216.169.10#53
Oct 17 20:57:25 daniel unbound[199121]: [199121:0] info: query response was NXDOMAIN ANSWER
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: prime trust anchor
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: generate keytag query _ta-b7ce-d6ac.in-addr.arpa. NULL IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: resolving in-addr.arpa. DNSKEY IN
Oct 17 20:57:31 daniel unbound[199121]: [199121:0] info: resolving
_ta-b7ce-d6ac.in-addr.arpa. NULL IN Oct 17 20:57:32 daniel
unbound[199121]: [199121:0] info: response for
_ta-b7ce-d6ac.in-addr.arpa. NULL IN Oct 17 20:57:32 daniel
unbound[199121]: [199121:0] info: reply from <in-addr.arpa.>
200.10.60.53#53 Oct 17 20:57:32 daniel unbound[199121]: [199121:0]
info: query response was NXDOMAIN ANSWER Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: failed to prime trust anchor -- could
not fetch DNSKEY rrset in-addr.arpa. DNSKEY IN Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: Could not establish a chain of trust
to keys for in-addr.arpa. DNSKEY IN Oct 17 20:57:38 daniel
unbound[199121]: [199121:0] info: validation failure
<46.36.251.142.in-addr.arpa. PTR IN>: no DNSKEY rrset [all servers for
this domain failed, at zone in-addr.arpa. from 196.216.169.10 upstream
server timeout] for trust anchor in-addr.arpa. while building chain of
trust
The reason this seems to fail is because unbound tries to connect with
tcp (after an udp failure) to an .in-addr.arpa. root server, which doesn't
like that and immediately closes the connection.
The root server closes the connection because RD=0 (Recursion desired),
which is correct I think: unbound should not ask root servers for a DNSKEY.
I can simulate this from the command line:
>dig @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit | grep '257'
in-addr.arpa. 2370 IN DNSKEY 257 3 8 AwEAAbNX16PjL99cu7CpO7Nt5EXoq8k6TCZpzxz13wCITdkwIce4UrzUqw7b76WH7N3KKAb4uJgmswkujk+gYMqnMAwNBFELrCDDkflw2AIjFPXBd2Txw8o3H5of2uIbAijm76B562VIiT3p0RIP1SH4eA+wHwYmqM3o/PiYfCxQD1c+EJx6b6dRcKAfeX4XMSsM6DyI6tjLGZ//w/IspRnbRb6Q36zWNyPPY2+5fqkaJ/94OKapvXTCUpWsNqKYlOxMwovwW9a2uBIgldzSq9mCtGUXU7mRZkwUIpnzA5Qe+lYdimWnzve7BXVs8ZZUyNhlDMlWYUrYHiaJ0uESYAWZQ98=
in-addr.arpa. 2370 IN DNSKEY 257 3 8
AwEAAbdOaEhLDa/H2m+hbXBHiAUE95PgpL2358lkJCBmb2Dn7aImc5sqoaEa48hlabMuG2PfnbWd3ttpVXX6mwLRMppyhJeBbr1q2YWtzi+Xx5modXLKSDPuLliLUQ1oPnq2QWK7BUNwmV70gQSOx78vkisDqFzocC2aiFAi+D2r45GPvtBMbjfCA1FB0SELeUCsxhgoAHphO5T6ITCrOccM7XX7A4qRbcbS65HOcbT+UDG9OoXjmw2j8mWgJXrpwvdsskaISrTivzcqadgOinSgAL3bVYFKCkiVBmx87d88v+OuK+358xsUIU+0MzXUidLS8086BpdiEW4cJ6c08oDyC10=
>dig @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit +norecurse
;; communications error to 193.0.9.1#53: end of file
;; communications error to 193.0.9.1#53: end of file
;; communications error to 193.0.9.1#53: end of file
; <<>> DiG 9.20.13 <<>> @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit +norecurse
; (1 server found)
;; global options: +cmd
;; no servers could be reached
Am I correct to think that the problem is that unbound tries to do that last
thing at all, while it shouldn't?
I tried to added a trust-anchor with the above data, but that didn't help.
The only change is that now unbound sets the bit "Non-authenticated
data: Acceptable" - but the root server still immediately closes the connection.
Isn't this a bug in unbound or am I doing something wrong?
Current config:
>grep -v '^[[:space:]]*#' unbound.conf | grep -v '^$'
server:
verbosity: 2
interface: 127.25.0.53
outgoing-interface: 192.168.132.70
so-sndbuf: 0
edns-buffer-size: 1232
do-ip6: no
do-daemonize: no
username: "unbound"
log-time-iso: yes
log-queries: yes
log-replies: yes
log-tag-queryreply: yes
log-destaddr: yes
log-servfail: yes
trust-anchor-file: "/etc/unbound/trusted-key.key"
trust-anchor-file: "/etc/unbound/trust-anchors.d/in-addr.arpa.key"
pad-responses: yes
python:
dynlib:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
where
>cat /etc/unbound/trust-anchors.d/in-addr.arpa.key
in-addr.arpa. DNSKEY 257 3 8 AwEAAbNX16PjL99cu7CpO7Nt5EXoq8k6TCZpzxz13wCITdkwIce4UrzUqw7b76WH7N3KKAb4uJgmswkujk+gYMqnMAwNBFELrCDDkflw2AIjFPXBd2Txw8o3H5of2uIbAijm76B562VIiT3p0RIP1SH4eA+wHwYmqM3o/PiYfCxQD1c+EJx6b6dRcKAfeX4XMSsM6DyI6tjLGZ//w/IspRnbRb6Q36zWNyPPY2+5fqkaJ/94OKapvXTCUpWsNqKYlOxMwovwW9a2uBIgldzSq9mCtGUXU7mRZkwUIpnzA5Qe+lYdimWnzve7BXVs8ZZUyNhlDMlWYUrYHiaJ0uESYAWZQ98=
in-addr.arpa. DNSKEY 257 3 8
AwEAAbdOaEhLDa/H2m+hbXBHiAUE95PgpL2358lkJCBmb2Dn7aImc5sqoaEa48hlabMuG2PfnbWd3ttpVXX6mwLRMppyhJeBbr1q2YWtzi+Xx5modXLKSDPuLliLUQ1oPnq2QWK7BUNwmV70gQSOx78vkisDqFzocC2aiFAi+D2r45GPvtBMbjfCA1FB0SELeUCsxhgoAHphO5T6ITCrOccM7XX7A4qRbcbS65HOcbT+UDG9OoXjmw2j8mWgJXrpwvdsskaISrTivzcqadgOinSgAL3bVYFKCkiVBmx87d88v+OuK+358xsUIU+0MzXUidLS8086BpdiEW4cJ6c08oDyC10=
but well - that should be necessary because I don't see any mention of something like that in any documentation online :/
Please help,
Carlo
More information about the Unbound-users
mailing list