intended to be sent to this list ...
-------- Weitergeleitete Nachricht -------- Betreff: Re: Unbound 1.9.1rc1 pre-release Datum: Thu, 7 Mar 2019 16:05:45 +0100 Von: A. Schulze <[email protected]> An: Wouter Wijngaards <[email protected]> Am 05.03.19 um 10:37 schrieb Wouter Wijngaards via Unbound-users: > Unbound 1.9.1rc1 pre-release is available: Hello Wouter, compiled and work on my usual lab servers. BUT - I'm currently behind a broken WLAN that implement a captive portal by dns rewrites. And here I can't use unbound (neither 1.9.0 nor this rc) at all. I switched to stubby ... server: aggressive-nsec: yes chroot: "/var/lib/unbound" do-daemonize: no extended-statistics: yes logfile: "" log-replies: yes log-servfail: yes log-tag-queryreply: yes harden-referral-path: yes harden-glue: yes outgoing-tcp-mss: 1220 pidfile: "" rrset-roundrobin: yes tcp-mss: 1220 statistics-interval: 3600 statistics-cumulative: yes unwanted-reply-threshold: 10000 use-caps-for-id: yes val-log-level: 2 tls-session-ticket-keys: /dev/shm/current.key tls-session-ticket-keys: /dev/shm/previous.key auto-trust-anchor-file: trust/rfc5011.anchor module-config: "subnetcache validator iterator" interface: ::1 interface: 127.0.0.1 do-ip6: no interface: 127.0.0.1@853 ssl-service-pem: /etc/ssl/chain.pem ssl-service-key: /etc/ssl/key.pem ssl-port: 853 tls-cert-bundle: "etc/unbound/tls-cert-bundle.pem" remote-control: control-enable: yes control-interface: /run/unbound.socket control-use-cert: no dnstap: dnstap-enable: yes dnstap-socket-path: "/dnstap/unbound.socket" dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes dnstap-log-resolver-query-messages: yes dnstap-log-resolver-response-messages: yes dnstap-log-forwarder-query-messages: yes dnstap-log-forwarder-response-messages: yes starting unbound give that log: [1551970980] unbound[28427:0] notice: read tls-session-ticket-key: /dev/shm/current.key [1551970980] unbound[28427:0] notice: read tls-session-ticket-key: /dev/shm/previous.key [1551970980] unbound[28427:0] notice: init module 0: subnet [1551970980] unbound[28427:0] notice: init module 1: validator [1551970980] unbound[28427:0] notice: init module 2: iterator [1551970980] unbound[28427:0] notice: attempting to connect to dnstap socket /dnstap/unbound.socket [1551970980] unbound[28427:0] notice: dnstap Message/RESOLVER_QUERY enabled [1551970980] unbound[28427:0] notice: dnstap Message/RESOLVER_RESPONSE enabled [1551970980] unbound[28427:0] notice: dnstap Message/CLIENT_QUERY enabled [1551970980] unbound[28427:0] notice: dnstap Message/FORWARDER_QUERY enabled [1551970980] unbound[28427:0] notice: dnstap Message/FORWARDER_RESPONSE enabled [1551970980] unbound[28427:0] info: start of service (unbound 1.9.1rc1). and now one query: [1551971036] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: generate keytag query _ta-4f66. NULL IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: generate keytag query _ta-4f66. NULL IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: generate keytag query _ta-4f66. NULL IN [1551971037] unbound[28427:0] error: SERVFAIL <e.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: generate keytag query _ta-4f66. NULL IN [1551971037] unbound[28427:0] error: SERVFAIL <h.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <e.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <m.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <k.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <f.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <g.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <i.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <c.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971037] unbound[28427:0] error: SERVFAIL <f.gtld-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <b.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <d.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: generate keytag query _ta-4f66. NULL IN [1551971037] unbound[28427:0] error: SERVFAIL <i.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN [1551971037] unbound[28427:0] info: validation failure <. NS IN>: no signatures from 192.5.5.241 for trust anchor . while building chain of trust [1551971037] unbound[28427:0] info: validation failure <. SOA IN>: no signatures from 192.5.5.241 for trust anchor . while building chain of trust [1551971037] unbound[28427:0] reply: 127.0.0.1 . SOA IN SERVFAIL 0.658759 0 28 [1551971037] unbound[28427:0] error: SERVFAIL <h.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <a.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <j.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <l.root-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971037] unbound[28427:0] error: SERVFAIL <g.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <j.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <b.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <m.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <d.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971037] unbound[28427:0] error: SERVFAIL <a.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971037] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <a.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <b.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <g.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971038] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <f.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <h.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <j.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <m.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <c.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <i.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <d.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <c.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971038] unbound[28427:0] error: SERVFAIL <d.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <j.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <f.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <g.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <a.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <h.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971038] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <m.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <b.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971039] unbound[28427:0] error: SERVFAIL <i.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <e.gtld-servers.net. A IN>: all servers for this domain failed, at zone net. [1551971039] unbound[28427:0] error: SERVFAIL <f.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <g.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <j.gtld-servers.net. A IN>: 0x20 failed, then got different replies in fallback [1551971039] unbound[28427:0] error: SERVFAIL <a.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <h.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <m.gtld-servers.net. A IN>: could not fetch nameserver at zone net. [1551971039] unbound[28427:0] error: SERVFAIL <b.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <i.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <d.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971039] unbound[28427:0] error: SERVFAIL <i.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <f.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <j.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <g.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <b.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <h.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <m.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <a.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <l.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <k.gtld-servers.net. A IN>: could not fetch nameservers for 0x20 fallback [1551971040] unbound[28427:0] error: SERVFAIL <c.gtld-servers.net. A IN>: exceeded the maximum number of glue fetches [1551971040] unbound[28427:0] error: SERVFAIL <c.root-servers.net. A IN>: could not fetch nameserver at zone net. [1551971040] unbound[28427:0] error: SERVFAIL <net. NS IN>: exceeded the maximum number of glue fetches Any advise to pimp my configuration? Andreas
