Hi Tuomo,
This is currently in the reserved state
https://www.cve.org/CVERecord?id=CVE-2024-33655
Where do you see that this is a linux kernel issue?
Best regards,
-- Yorgos
On 01/05/2024 13:20, Tuomo Soini via Unbound-users wrote:
On Wed, 1 May 2024 11:23:28 +0200
Wouter Wijngaards via
Hi Martin,
I don't see anything standing out in your log but you can start by using
'log-servfail: yes' in your configuration and maybe you get something
useful.
Best regards,
-- Yorgos
On 30/04/2024 08:01, martin f krafft via Unbound-users wrote:
Regarding the following, written by “martin
Hi Gareth,
In that case you could still forward both test and subdomain(s).test.
The subdomain(s).test would be forwarded where it has to, the test can
be forwarded on a non-listening port on localhost.
The subdomains will get the appropriate answers, and test (along with
non specified
Hi Bruno,
TTL 0 is explicitly returned for expired items in the external cache.
This means that 'serve-expired: yes' needs to be configured, otherwise
those items are not used.
Unbound will refuse to start if the connection to the external cache
cannot be established.
However, during
Hi Brian,
The OPT record is for EDNS in general.
The DO bit is about DNSSEC and validation; part of the OPT record.
From version 1.19.0 on, you can use 'disable-edns-do: yes' to turn the
bit off; you would also need to keep the validator module removed
otherwise that option would be ignored.
Hi Marco,
serve-expired and prefetch do work for data coming from Unbound's
internal cache but not for data coming from subnetcache (ECS).
This is because there is no support for it (yet).
You can enable both but the expired and prefetch logic will not trigger
for ECS cached answers.
Best
Hi Sami,
An extra question while looking around; when reloading, do you maybe use
the reload_keep_cache command?
Best regards,
-- Yorgos
On 19/02/2024 12:38, Yorgos Thessalonikefs wrote:
Hi Sami,
I believe this alloc_reg_release() needs to be there and I don't see it
being called twice on
Hi Sami,
I believe this alloc_reg_release() needs to be there and I don't see it
being called twice on failure, unless I miss something.
As for the cores I started looking around; the latest ones seem really
weird especially with pointers that seem to change between calls.
Did you find out
Hi Sami,
I am quiet because I have nothing to share at the moment but thanks for
these!
Best regards,
-- Yorgos
On 09/02/2024 13:18, Sami Kerola wrote:
Hello again,
Crashes keep on happening. Instead of reporting the same backtraces here
are some that I think I have not reported yet.
Hi Sami,
I'll have a look but probably next week.
I am a little confused by your previous wording:
"... have a problem with unbound-1.19.0. Estimated time in between
crashes is around 450 days on a single server."
Did these start specifically with 1.19.0?
How often do you see those crashes
Hi,
You would have additional difficulties since after the TLS handshake DoT
would expect DNS data and DoH would expect HTTP data.
Best regards,
-- Yorgos
On 06/01/2024 19:51, ch--- via Unbound-users wrote:
I have a working unbound server that answers DoH queries on tcp 443.
I use a
Hi Andreas,
This is not possible at the moment.
Would you like to open an issue at
https://github.com/NLnetLabs/unbound/issues ?
I would guess adding the destination port of the request on the
query/reply logs would be enough?
Best regards
-- Yorgos
On 23/11/2023 22:23, A. Schulze via
Hi Daniel,
The change looks good for me.
It does change current behavior but I think that the new behavior (when
asked to synthesize but no A exists, fallback to the existing )
makes sense for a default configuration.
However, I am not a DNS64 operator so if people here feel differently
Hi Georg,
Probably the compilation or the default configuration of Unbound changed
between those Debian versions.
This is only a problem if you want the prefetch functionality to work
with the subnetcache module (ECS); which currently it does not.
You can turn either off and the warning
Hi John,
For upstream traffic, on FORMERR responses, Unbound will retry without
EDNS if an EDNS query was previously sent.
But from your log output these queries and replies seem to be for the
downstream (client facing) traffic.
I deduce that
log-queries: yes
log-replies: yes
Hi Nicolas,
The following configuration parts may result in what you need; I haven't
tested though:
server:
access-control-view: 10.1.0.0/16 allowptr
access-control-view: 0.0.0.0/0 disallowptr
view:
name: allowptr
view:
name: disallowptr
Hi Sankar,
A TTL of 0 does not mean that the record is expired.
Unbound returns the non-expired (0 TTL) record and starts prefetching;
since I see that this is enabled in the configuration.
If you query 1 second later when the record is expired, Unbound will go
to the network instead.
Best
Hi Paul,
The single/double quotes mixup seems like a funny coincidence.
result.data.data includes the rdata which in this case (TXT) is the
character string(s). So also the length of the character string at the
start which in this case happens to be presented as '.
For this specific example
On 16/05/2023 14:54, Vladimir Lomov via Unbound-users wrote:
Hello,
** George (Yorgos) Thessalonikefs via Unbound-users
[2023-05-16 12:25:50 +0200]:
Hi Vladimir,
'https-port:' makes sure that DoH is used for listening sockets using
that specific port.
In order to use the port you
Hi Vladimir,
'https-port:' makes sure that DoH is used for listening sockets using
that specific port.
In order to use the port you need to explicitly define it with 'interface:'.
The port in 'interface:' is optional and will default to 53, or the
value of 'port:' if that is changed.
For
Hi Dmitri,
You can increase the verbosity in Unbound to see what is happening from
Unbound's side. A value of 4 will be eloquent but it will log the
information needed.
You can also set that value during runtime with:
unbound-control verbosity 4
You can do this briefly when the
Hi Peter,
Unbound with DNSSEC validation configured will reply with the AD bit for
secure answers and SERVFAIL for bogus answers. Insecure answer will get
the answer without the AD bit set.
Newer versions (>= 1.16.0) will also attach EDE codes for DNSSEC
validation failures to the SERVFAIL
Hi Håvard,
That is correct.
If it fits your configuration, you could limit the rpz with tags though.
Either client IP based (access-control-tag:) or listening interface
based (interface-tag:).
Best regards,
-- Yorgos
On 03/03/2023 11:00, Havard Eidnes via Unbound-users wrote:
Hi,
am I
Hi Florian,
On 28/02/2023 13:17, Florian Streibelt via Unbound-users wrote:
I really hate manually keeping track of these domains but nobody seems
to be able to fix it and its hard to explain that using any of the open
resolvers the domains work, only when using our resolvers it breaks.
Hi,
You can find most of the information at
https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/info-timeout-server-selection.html
You can affect this further by using the following configuration options:
- infra-*
- fast-server-*
You can read about them in the manpage or online at
Hi Florian,
On 27/02/2023 17:33, Paul Wouters via Unbound-users wrote:
On Mon, 27 Feb 2023, Florian Streibelt via Unbound-users wrote:
No, again that is not my issue.
All of the servers that dns.com operates are dropping queries for the
Ressource Record Type DS.
They are the authoritative
Hi Antonio,
This is not possible.
If you control the clients you can have them include an ECS option with
the desired network and Unbound will use that.
My next bet would be NATing so that Unbound sees the fake client IP.
Best regards,
-- Yorgos
On 17/02/2023 18:18, Antonio Prado via
Hi David,
Your configuration should work.
Are you sure that Unbound is seeing that exact client IP address?
If you increase verbosity (4 at least) Unbound will log why the query
was refused.
> A dig query against this server returns "recursion requested but not
> available".
I suppose the
Hi John,
What prefetch does for cached records is to try and refetch the record
internally (the client still gets the fast cached answer) when a cached
record is used for the answer and that record's TTL is at the last 10%
of the original TTL.
This hopefully will update the record in the
Hi G.B.,
The command is documented in the unbound-control manpage.
Also online at
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound-control.html#unbound-control-commands-reload-keep-cache.
This is about the message and rrset global cache, so it will not help
with reloading RPZ
Hi Gerben,
Best wishes for 20223 to you too!
If you don't specify a root hints file, Unbound will use the builtin
defaults. These are kept up-to-date with each version.
The root key file usually contains the DS/DNSKEY record of the root
trust anchor and is used for DNSSEC validation.
This
Hi,
I don't see this as an Unbound issue; NSD just returns REFUSED to such
queries.
There seems to be something off with your NSD configuration. Maybe an
'allow-query:' option or the zone you are requesting is not loaded in NSD.
I would first try to solve that issue with just 'dig' from the
Hi Marco,
Two things:
- The 'serve-expired-client-timeout:' has no support for the subnet
module. That means that when the client timeout is reached, Unbound
will try to find an (expired) answer in the *global* cache and reply
to the client(s).
- The subnet module has no support for
This does sound like a bug for auth-zone then.
I don't have time to replicate atm but could you open an issue for it?
Also, is this NSEC or NSEC3?
Best regards,
-- Yorgos
On 11/11/2022 15:09, Michael Tokarev wrote:
11.11.2022 16:54, George (Yorgos) Thessalonikefs wrote:
Now I spot that this
Now I spot that this is auth-zone.
Which version of Unbound is that?
I would first try with stub-zone instead and point to the NSD instance
you mentioned.
Best regards,
-- Yorgos
On 11/11/2022 14:26, Michael Tokarev wrote:
11.11.2022 14:31, George (Yorgos) Thessalonikefs via Unbound-users
Hi Simon,
This is as designed. Local data is used before any recursion.
What you want to do can be achieved by either a stub-zone
(https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#stub-zone-options;
redirecting to a nameserver with data for sub.dom.nl.) or an auth-zone
Hi Michael,
Without having anything specific to look at I would guess that Unbound
is doing the right thing and that the signing part is not properly
creating NSEC/NSEC3 for the Empty Non Terminal 'x.dom.'.
Best regards,
-- Yorgos
On 08/11/2022 20:01, Michael Tokarev via Unbound-users
Hi Peter,
ACL (also) comes before NOTIFY processing.
Make sure that the nameserver addresses are not denied (the default) by
Unbound.
Something like:
server:
access-control: allow
or
server:
access-control: refuse_non_local
should work.
The latter will make sure to
Hi David,
I have tried with dnsdist 1.7.1 and I can't reproduce the issue. Haven't
tested with 1.7.2 so I can't comment on that.
A couple of things that may help:
- Unbound will still log 10.0.0.10 for log messages that have to do with
network connectivity;
- Queries from dnsdist itself
39 matches
Mail list logo
