Hi T.Suzuki, I don't know why it is querying for the root DNSKEY for you. It should not do that, unless a client asked for it.
Do you have verbosity 5 debug logs? Perhaps this config file is not the actual config file used by your resolver? Best regards, Wouter On 03/08/17 14:14, T.Suzuki via Unbound-users wrote: > On Thu, 3 Aug 2017 09:08:52 +0200 > "W.C.A. Wijngaards via Unbound-users" <unbound-users@unbound.net> wrote: > >> Hi T.Suzuki, >> >> Do you have prefetch-key enabled still? It causes the DNSKEY to be >> prefetched. If so, that would just be extra data in the cache, and not >> hamper KSK rollovers. > > I do not enable any key configuration. > > unbound 1.6.3 (FreeBSD 11.0-RELEASE pkg) > > server: > verbosity: 1 > interface: 127.0.0.2 > msg-cache-size: 8m > rrset-cache-size: 8m > access-control: 127.0.0.0/8 allow > logfile: "unbound.log" > log-queries: yes > root-hints: "named.cache" > private-address: 172.16.0.0/12 > private-address: 192.168.0.0/16 > unwanted-reply-threshold: 100000 > do-not-query-localhost: no > # prefetch-key: no > module-config: "iterator" > # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" > # trust-anchor-file: "" > > python: > remote-control: > control-enable: yes > > # tshark -n port 53 > Capturing on 'em0' > 1 0.000000 172.16.168.136 → 199.7.91.13 DNS 70 Standard query 0xca87 > NS <Root> OPT > 2 0.015573 199.7.91.13 → 172.16.168.136 DNS 1139 Standard query > response 0xca87 NS <Root> NS f.root-servers.net NS e.root-servers.net NS > i.root-servers.net NS k.root-servers.net NS a.root-servers.net NS > b.root-servers.net NS d.root-servers.net NS g.root-servers.net NS > h.root-servers.net NS l.root-servers.net NS m.root-servers.net NS > j.root-servers.net NS c.root-servers.net RRSIG A 198.41.0.4 A 192.228.79.201 > A 192.33.4.12 A 199.7.91.13 A 192.203.230.10 A 192.5.5.241 A 192.112.36.4 A > 198.97.190.53 A 192.36.148.17 A 192.58.128.30 A 193.0.14.129 A 199.7.83.42 A > 202.12.27.33 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:200::b AAAA 2001:500:2::c > AAAA 2001:500:2d::d AAAA 2001:500:a8::e AAAA 2001:500:2f::f AAAA > 2001:500:12::d0d AAAA 2001:500:1::53 AAAA 2001:7fe::53 AAAA > 2001:503:c27::2:30 AAAA 2001:7fd::1 AAAA 2001:500:9f::42 AAAA 2001:dc3::35 OPT > 3 0.015879 172.16.168.136 → 198.41.0.4 DNS 70 Standard query 0x6795 > DNSKEY <Root> OPT > 4 0.130131 198.41.0.4 → 172.16.168.136 DNS 1181 Standard query > response 0x6795 DNSKEY <Root> DNSKEY DNSKEY DNSKEY RRSIG OPT > >
signature.asc
Description: OpenPGP digital signature