Re: priming and dnskey

Thu, 03 Aug 2017 07:06:22 -0700 

Hi T.Suzuki,

I don't know why it is querying for the root DNSKEY for you.  It should
not do that, unless a client asked for it.

Do you have verbosity 5 debug logs?  Perhaps this config file is not the
actual config file used by your resolver?

Best regards, Wouter

On 03/08/17 14:14, T.Suzuki via Unbound-users wrote:
> On Thu, 3 Aug 2017 09:08:52 +0200
> "W.C.A. Wijngaards via Unbound-users" <unbound-users@unbound.net> wrote:
> 
>> Hi T.Suzuki,
>>
>> Do you have prefetch-key enabled still?  It causes the DNSKEY to be
>> prefetched.  If so, that would just be extra data in the cache, and not
>> hamper KSK rollovers.
> 
> I do not enable any key configuration.
> 
> unbound 1.6.3 (FreeBSD 11.0-RELEASE pkg)
> 
> server:
>       verbosity: 1
>       interface: 127.0.0.2
>       msg-cache-size: 8m
>       rrset-cache-size: 8m
>       access-control: 127.0.0.0/8 allow
>       logfile: "unbound.log"
>       log-queries: yes
>       root-hints: "named.cache"
>       private-address: 172.16.0.0/12
>       private-address: 192.168.0.0/16
>       unwanted-reply-threshold: 100000
>       do-not-query-localhost: no
>       # prefetch-key: no
>       module-config: "iterator"
>         # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
>         # trust-anchor-file: ""
> 
> python:
> remote-control:
>       control-enable: yes
> 
> # tshark -n port 53
> Capturing on 'em0'
>     1   0.000000 172.16.168.136 → 199.7.91.13  DNS 70 Standard query 0xca87 
> NS <Root> OPT
>     2   0.015573  199.7.91.13 → 172.16.168.136 DNS 1139 Standard query 
> response 0xca87 NS <Root> NS f.root-servers.net NS e.root-servers.net NS 
> i.root-servers.net NS k.root-servers.net NS a.root-servers.net NS 
> b.root-servers.net NS d.root-servers.net NS g.root-servers.net NS 
> h.root-servers.net NS l.root-servers.net NS m.root-servers.net NS 
> j.root-servers.net NS c.root-servers.net RRSIG A 198.41.0.4 A 192.228.79.201 
> A 192.33.4.12 A 199.7.91.13 A 192.203.230.10 A 192.5.5.241 A 192.112.36.4 A 
> 198.97.190.53 A 192.36.148.17 A 192.58.128.30 A 193.0.14.129 A 199.7.83.42 A 
> 202.12.27.33 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:200::b AAAA 2001:500:2::c 
> AAAA 2001:500:2d::d AAAA 2001:500:a8::e AAAA 2001:500:2f::f AAAA 
> 2001:500:12::d0d AAAA 2001:500:1::53 AAAA 2001:7fe::53 AAAA 
> 2001:503:c27::2:30 AAAA 2001:7fd::1 AAAA 2001:500:9f::42 AAAA 2001:dc3::35 OPT
>     3   0.015879 172.16.168.136 → 198.41.0.4   DNS 70 Standard query 0x6795 
> DNSKEY <Root> OPT
>     4   0.130131   198.41.0.4 → 172.16.168.136 DNS 1181 Standard query 
> response 0x6795 DNSKEY <Root> DNSKEY DNSKEY DNSKEY RRSIG OPT
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to