Zitat von Leo Bush <leo.bush at mylife.lu>: > Dear all, > > Since one month our company uses unbound-1.4.8-1 on two RH6 servers > as caching and resolving servers with IPv6 and DNSSec enabled. These > two servers deal with all our DNS traffic, generated by all our > customers (2x 5Mbps peak traffic). They work as stand alone servers, > no complicated network components (Load balancer...) around. > > At the beginning we used to activate the option use-caps-for-id, but > since we got complaints from customers that certain domains were > available everywhere in the world except at us, we preferred to > deactivate. > > Currently we face the following rather strange problem: > Under normal working conditions, in 70-90% of the time our two > production servers cannot resolve domains registered at > register.be and lying on the three authoritative name servers > ns1.register.be, ns3.register.be, ns2.register.be (example: > leonidas.be, estates.lu). They return me a SERVFAIL. register.be > itself works all the time. By chance it sometimes works correctly > for a brief period of time. Even though it was not easy due to the > thousands of packets passing through in a second, I succeeded to > trace the packets the server sends to the authoritative servers and > it gets correct answers back. > > I tried to install unbound 1.4.8 with the same configuration file > (see attachment) on a desktop machine and there was no issue. All > resolutions against domains at register.be were immediate and correct. > > As customers continued to complain I was forced to take one server > out of production and to replace it with bind which works correctly. > Now I have one server with unbound that has the problem and one > server with bind, that works fine in production. The formerly faulty > unbound server that is now offloaded currently responds correctly at > all tests (no restart done, no reboot done, just IP address switched). > > Does anybody have an idea how I can solve this problem? Shall I > offer you more technical information? Do you have further tests to > suggest? > Looks for me like EDNS problem. At least some part of the .be zone is DNSSEC signed an the replies get bigger than 512 Byte like with "dig x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in case of trouble, not sure if Unbound does the same. What you should check: - Do the trouble domain/names resolve with unbound if you use checking disabled (+cdflag) - Do you have any firewall device in front of your resolvers maybe some Cisco inspecting DNS traffic - Do you have disabled Unbound tcp For some hints on the problem have a look here: https://www.dns-oarc.net/oarc/services/replysizetest Regards Andreas