Maintained by: NLnet Labs

[Unbound-users] Problem to resolve domains from a certain registrar

Lst_hoe02 at kwsoft.de
Wed Aug 24 13:47:17 CEST 2011


Zitat von Leo Bush <leo.bush at mylife.lu>:

> Dear all,
>
> Since one month our company uses unbound-1.4.8-1 on two RH6 servers  
> as caching and resolving servers with IPv6 and DNSSec enabled. These  
> two servers deal with all our DNS traffic, generated by all our  
> customers (2x 5Mbps peak traffic). They work as stand alone servers,  
> no complicated network components (Load balancer...) around.
>
> At the beginning we used to activate the option use-caps-for-id, but  
> since we got complaints from customers that certain domains were  
> available everywhere in the world except at us, we preferred to  
> deactivate.
>
> Currently we face the following rather strange problem:
> Under normal working conditions, in 70-90% of the time our two  
> production servers  cannot  resolve domains registered at  
> register.be and lying on the three authoritative name servers  
> ns1.register.be, ns3.register.be, ns2.register.be (example:  
> leonidas.be, estates.lu). They return me a SERVFAIL. register.be  
> itself works all the time. By chance it sometimes works correctly  
> for a brief period of time. Even though it was not easy due to the  
> thousands of packets passing through in a second, I succeeded to  
> trace the packets the server sends to the authoritative servers and  
> it gets correct answers back.
>
> I tried to install unbound 1.4.8 with the same configuration file  
> (see attachment) on a desktop machine and there was no issue. All  
> resolutions against domains at register.be were immediate and correct.
>
> As customers continued to complain I was forced to take one server  
> out of production and to replace it with bind which works correctly.  
> Now I have one server with unbound that has the problem and one  
> server with bind, that works fine in production. The formerly faulty  
> unbound server that is now offloaded currently responds correctly at  
> all tests (no restart done, no reboot done, just IP address switched).
>
> Does anybody have an idea how I can solve this problem? Shall I  
> offer you more technical information? Do you have further tests to  
> suggest?
>

Looks for me like EDNS problem. At least some part of the .be zone is  
DNSSEC signed an the replies get bigger than 512 Byte like with "dig  
x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in  
case of trouble, not sure if Unbound does the same. What you should  
check:
- Do the trouble domain/names resolve with unbound if you use checking  
disabled (+cdflag)
- Do you have any firewall device in front of your resolvers maybe  
some Cisco inspecting DNS traffic
- Do you have disabled Unbound tcp

For some hints on the problem have a look here:
https://www.dns-oarc.net/oarc/services/replysizetest

Regards

Andreas