Maintained by: NLnet Labs

[Unbound-users] Problem to resolve domains from a certain registrar

Leo Bush
Wed Aug 24 16:24:28 CEST 2011


On 24/08/2011 13:47, Lst_hoe02 at kwsoft.de wrote:
 >
 > Looks for me like EDNS problem. At least some part of the .be zone is 
DNSSEC signed an the replies get bigger than 512 Byte like with "dig 
x.dns.be A +dnssec". Bind has a feature to reduce the EDNS size in case 
of trouble, not sure if Unbound does the same. What you should check:
 > - Do the trouble domain/names resolve with unbound if you use 
checking disabled (+cdflag)
 > - Do you have any firewall device in front of your resolvers maybe 
some Cisco inspecting DNS traffic
 > - Do you have disabled Unbound tcp
 >
 > For some hints on the problem have a look here:
 > https://www.dns-oarc.net/oarc/services/replysizetest
 >
 > Regards
 >
 > Andreas

Hi,

Thank you for helping my case. Here are my answers.
- I have no firewall or other device inspecting the traffic in front of 
the box, only packet filtering with iptables.
- In the config file I have:
         # Enable TCP, "yes" or "no".
         # do-tcp: yes
         # edns-buffer-size: 4096
   So I assume that by default tcp is enabled.


Following your suggestions I tried

(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag

; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27603
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;leoS.leonidas.be.              IN      A

;; Query time: 14 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:38 2011
;; MSG SIZE  rcvd: 34



(initial settings)
# dig leos.leonidas.be @resolv1 +cdflag +tcp

; <<>> DiG 9.3.4-P1 <<>> leos.leonidas.be @resolv1 +cdflag +tcp
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27736
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;leos.leonidas.be.              IN      A

;; Query time: 9 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:35:53 2011
;; MSG SIZE  rcvd: 34



(initial settings)
# dig @resolv1  rs.dns-oarc.net txt

; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35701
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;rs.dns-oarc.net.               IN      TXT

;; ANSWER SECTION:
rs.dns-oarc.net.        60      IN      CNAME   rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59   IN      CNAME   
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN  CNAME   
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 DNS 
reply size limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "194.154.192.101 sent 
EDNS buffer size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24 
12:38:52 UTC"

;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS     
ns00.x3843.x3837.x3827.rs.dns-oarc.net.

;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136

;; Query time: 5972 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 14:38:52 2011
;; MSG SIZE  rcvd: 307



Then I changed the following two settings:
     do-tcp: yes
     edns-buffer-size: 512

I restarted the unbound daemon. I find immediately the following 
messages in the log:
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating 
DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate 
request: out of memory
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: mem error generating 
DNSKEY request
Aug 24 15:28:57 resolv5 unbound: [10817:1] error: Could not generate 
request: out of memory

I repeated my tests from before:

# dig @resolv1 leos.leonidas.be

; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

1 minute later

# dig @resolv1 leos.leonidas.be +nodnssec

; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +nodnssec
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65189
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;leos.leonidas.be.              IN      A

;; ANSWER SECTION:
leos.leonidas.be.       3600    IN      A       81.246.74.153

;; Query time: 56 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:46:49 2011
;; MSG SIZE  rcvd: 50



# dig @resolv1  leos.leonidas.be

; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8193
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;leos.leonidas.be.              IN      A

;; ANSWER SECTION:
leos.leonidas.be.       2834    IN      A       81.246.74.153

;; Query time: 5 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:35 2011
;; MSG SIZE  rcvd: 50



# dig @resolv1  leos.leonidas.be +dnssec

; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be +dnssec
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26318
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;leos.leonidas.be.              IN      A

;; ANSWER SECTION:
leos.leonidas.be.       2825    IN      A       81.246.74.153

;; Query time: 16 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 15:59:44 2011
;; MSG SIZE  rcvd: 61



# dig @resolv1  rs.dns-oarc.net txt

; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options:  printcmd
;; connection timed out; no servers could be reached



As in the meantime my cacti monitoring signals me lots of Dropped 
packets, and as the reaction of the server seems slower to me 
(subjective feeling), I put back the initial settings.

# dig @resolv1  leos.leonidas.be

; <<>> DiG 9.3.4-P1 <<>> @resolv1 leos.leonidas.be
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51586
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;leos.leonidas.be.              IN      A

;; Query time: 10 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:06:58 2011
;; MSG SIZE  rcvd: 34


# dig @resolv1  rs.dns-oarc.net txt

; <<>> DiG 9.3.4-P1 <<>> @resolv1 rs.dns-oarc.net txt
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9723
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;rs.dns-oarc.net.               IN      TXT

;; ANSWER SECTION:
rs.dns-oarc.net.        60      IN      CNAME   rst.x3827.rs.dns-oarc.net.
rst.x3827.rs.dns-oarc.net. 59   IN      CNAME   
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net. 58 IN  CNAME   
rst.x3843.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx DNS reply size 
limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "xxxxx sent EDNS buffer 
size 4096"
rst.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN TXT "Tested at 2011-08-24 
14:07:15 UTC"

;; AUTHORITY SECTION:
x3843.x3837.x3827.rs.dns-oarc.net. 57 IN NS     
ns00.x3843.x3837.x3827.rs.dns-oarc.net.

;; ADDITIONAL SECTION:
ns00.x3843.x3837.x3827.rs.dns-oarc.net. 57 IN A 149.20.58.136

;; Query time: 1073 msec
;; SERVER: xxxxx#53(xxxxx)
;; WHEN: Wed Aug 24 16:07:15 2011
;; MSG SIZE  rcvd: 307



kind regards

Leo Bush