Closed ziojacky closed 2 years ago
For me, such a configuration resolves a.root-servers.net just fine. Have you tried setting the verbosity to 4, and then log the first resolution to see what is going wrong? The details then end up in the log file unbound.log
.
For me, such a configuration resolves a.root-servers.net just fine. Have you tried setting the verbosity to 4, and then log the first resolution to see what is going wrong? The details then end up in the log file
unbound.log
.
i try view log resolution is normal, but dig can't get answer, if i close auto-trust-anchor-file dig can get icann and internic normal answer, but no matter how set it conf file, all root-servers.net can't get answer in dig, looks like a dead circle...
The auto-trust-anchor-file statement is causing trouble and turning it off solves some resolutions? Something must be wrong with it the file. It would be interesting to set verbosity to 4, then unbound logs in more detail what happens. Then start the server again, and look up one of the failing domains. That should give a lot of details on what is wrong.
The auto-trust-anchor-file statement is causing trouble and turning it off solves some resolutions? Something must be wrong with it the file. It would be interesting to set verbosity to 4, then unbound logs in more detail what happens. Then start the server again, and look up one of the failing domains. That should give a lot of details on what is wrong.
emmm, i try set verbosity 4, seem log nothing wrong and have right answer, since open new unbound process i only try get icann.org domain a type once, the log keeps enlarge, didn't do anything in between, the log content is circular query...
here are some parts:
`[1647468850] unbound[975:5] info: sending query: icann.org. A IN
[1647468850] unbound[975:5] debug: sending to target:
;; ANSWER SECTION:
;; AUTHORITY SECTION: icann.org. 4 IN NS a.icann-servers.net. icann.org. 4 IN NS c.icann-servers.net. icann.org. 4 IN NS b.icann-servers.net. icann.org. 4 IN NS ns.icann.org. icann.org. 4 IN DS 23584 7 2 AF57A492640102809209AA005B93C32B7ACC83734BC785CFA50B51688299CD61 icann.org. 4 IN DS 17248 7 2 885CF8A6CF35FD5C619E1D48B59AFB23063BBA9FEC52FF25F99094CBA10910A2 icann.org. 4 IN DS 18060 7 2 6BE021818B9F10ED981A03ACBF74F01E31FB15C58680AD0C4BAA464BF37A7523 icann.org. 4 IN RRSIG DS 8 2 86400 20220330152417 20220309142417 30573 org. TFewgm0SG+o7hh8bEQ42SReF4Iy4IztXLfZX8ijnQWqaqglR0ZphR3x3ej84//LMl0I6ynvs8UO7vA7ccv7J4FauvHX0eT442gUPSd0Jmub9ztb82b/ylqDryIPglNjvnbWrCyFzgkIQ6KUQcwo1YBJxADOZTQv/sPPPbxiIxq0= ;{id = 30573}
;; ADDITIONAL SECTION: ns.icann.org. 4 IN A 199.4.138.53 ns.icann.org. 4 IN AAAA 2001:500:89::53 ;; MSG SIZE rcvd: 460`
So I do not see anything wrong in the logs you quote. Suspicious, the TTL on the reply you get is 4 seconds on the RRs. From the .org server, but in reality it has a TTL of about 86400 on the RRs. For the reply from the .org servers I would expect the full TTL on the replies. The content looks okay otherwise.
So I do not see anything wrong in the logs you quote. Suspicious, the TTL on the reply you get is 4 seconds on the RRs. From the .org server, but in reality it has a TTL of about 86400 on the RRs. For the reply from the .org servers I would expect the full TTL on the replies. The content looks okay otherwise.
today i find a error in my log:
unbound[2253:7] debug: tcp error for address ip4 192.5.6.30 port 53 (len 16)
if set do-tcp: yes, all previous errors will be resolved, but i don't want open tcp listen port in local, is there any way to solve it?
Perhaps you have, apart from the weird TTL, also an MTU problem, because you receive only 460 bytes, less than 512, instead of an expected like up to 1500 bytes MTU. This can be caused by firewalls and settings along those lines. When the MTU is too small, also TCP is needed. It then uses TCP to fetch the larger message. You could change edns-buffer-size: to like 512, but it is too small, and likely will create a lot of TCP backoff, for which you then have to enable TCP. This TCP backoff seems to be happening all by itself as well, as you receive shorter replies, with also altered TTLs.
If there is some upstream firewall you can fix, eg. enable DNS port 53 larger than 512 content, that would probably fix a lot of issues. Also having TCP enabled is a good idea. There is no way to have TCP disabled for downstream but enable it for upstream. Usually having TCP enabled is considered the default, and is also encouraged by several RFC standards.
i use unbound 1.15 made a root zone resolution server, but some domain can't resolving, main problem domain is all root-servers.net and icann with internic, but other domain can normal resolution, unbound compile with libevent, my unbound conf is :