On 03/15/16 11:28, Andrea Brancatelli wrote: > Hello everybody, > > we're suddenly having problems with unbound on almost all of our servers > and I cannot really understand why. > > To make a long story short, we use this forward.conf: > > root@dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf > # This file was generated by local-unbound-setup. > # Modifications will be overwritten. > forward-zone: > name: . > forward-addr: 8.8.8.8 > forward-addr: 8.8.4.4 > > Enabling this: > > auto-trust-anchor-file: /var/unbound/root.key > > in /etc/unbound/unbound.conf gives me this: > > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > ;; connection timed out; no servers could be reached > > simply disabling that line gives me this: > > root@dbengine-ent-rm-01:/var/unbound # host update.freebsd.org > update.freebsd.org is an alias for update5.freebsd.org. > update5.freebsd.org has address 204.9.55.80 > update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750 > update5.freebsd.org mail is handled by 0 . > > What's going on? > > root@dbengine-ent-rm-01:/var/unbound # freebsd-version > 10.2-RELEASE-p13
Do you have a firewall between those machines and the Internet? Does it assume that DNS queries never use anything more than 512byte UDP packets? Does it try and rewrite data in DNS queries? Doing either of those things will cause breakage when using a DNSSEC enabled DNS resolver -- and DNSSEC support is pretty much the whole point of local_unbound. If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it should show you if you have any problems with reply lengths. Firewalls that try and modify DNS queries on the fly just need to be eradicated. It's a dumb idea and indistinguishable from certain types of malicious attack. Cheers, Matthew
signature.asc
Description: OpenPGP digital signature
