Hello,
I am trying to understand a problem on resolving a small fraction of
sites from unbound. The server is a Debian Squeeze running behind a
Firewall. 53/tcp, icmp and full udp are open on the box to the
outside. Unbound is stock Debian (1.4.6-1). When i try to resolve this
host for instance, it fails: ice.grid.kiae.ru whereas bind works.
Here is my configuration, I would be grateful if someone could point
me to the problem:
server:
verbosity: 1
num-threads: 2
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
access-control: xxxxxxx allow (where xxxx is our public range)
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
chroot: ""
username: "unbound"
directory: "/etc/unbound"
logfile: "/var/log/unbound/unbound.log"
pidfile: "/var/run/unbound.pid"
root-hints: "/etc/unbound/named.cache"
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
unwanted-reply-threshold: 10000000
dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
val-clean-additional: yes
val-permissive-mode: no
python:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-interface: ::1
control-port: 953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
This is a paste of the queries using first the unbound server which
fails, then the bind one which works:
~ dig any ice.grid.kiae.ru @xxxx
; <<>> DiG 9.7.0-P1 <<>> any ice.grid.kiae.ru @unbound-server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38830
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ice.grid.kiae.ru. IN ANY
;; Query time: 625 msec
;; SERVER: xxxxx#53(xxxx)
;; WHEN: Fri Nov 26 12:26:30 2010
;; MSG SIZE rcvd: 34
~ dig any ice.grid.kiae.ru @xxxxx
; <<>> DiG 9.7.0-P1 <<>> any ice.grid.kiae.ru @bind-server
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14537
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; QUESTION SECTION:
;ice.grid.kiae.ru. IN ANY
;; ANSWER SECTION:
ice.grid.kiae.ru. 1068 IN A 144.206.66.32
;; AUTHORITY SECTION:
grid.kiae.ru. 1068 IN NS ns.grid.kiae.ru.
grid.kiae.ru. 1068 IN NS ns.kiae.ru.
grid.kiae.ru. 1068 IN NS ns2.grid.kiae.ru.
grid.kiae.ru. 1068 IN NS ns1.grid.kiae.ru.
;; ADDITIONAL SECTION:
ns.kiae.ru. 639 IN A 144.206.14.14
;; Query time: 0 msec
;; SERVER:xxxxxx#53(xxxxx)
;; WHEN: Fri Nov 26 12:26:25 2010
;; MSG SIZE rcvd: 136
Thanks in advance,
Steph
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
