-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul,
On 01/08/2011 11:06 PM, Paul Wouters wrote: >> It should servfail. > It did not. What was the query that servfailed? I can see in the logs that it is retrying xelerance.org queries (for A, AAAA and type RRSIG). Because type RRSIG cannot be validated, you may have received a reply for that one. Could it be that your (Mac?) tried to fail over to another DNS server even though you did not want that? What you say about resolv.conf makes this unlikely, and you did a straight dig @127.0.0.1, I guess. > I always restarted unbound fully. Good to know. > I did capture the logs, mailed to you offlist. Thanks! Did you notice these lines: remote control failed ssl crypto error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Looks like some garbage connection to the unbound-control port. > I don't think so. For each test I ran a "service unbound restart", and > since resolv.conf was not configured to use 127.0.0.1, nothing could > have used unbound until I started sending it queries for xelerance.org > after I ran the unbound-control forward statement. It looks like you have a downstream validator, and this unbound does not have a lot of trust anchors? It has trust anchors, right? I can see you editing trust anchor config earlier in the logs. The downstream validator seems to make DNSKEY and RRSIG queries. And I see a lot of retries (due to DNSSEC failures?). These logs are confusing, I see they are log level 4 or 5 or so, but they are missing stuff (such as the configured trust anchors printout at start). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0qzMcACgkQkDLqNwOhpPgUbwCfTU1kr2rX3GtkJ+uxw9iOYDJa k2YAoJQ8i6csAkh+pmV2yFqmZxu2yHAN =/eW+ -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
