Maintained by: NLnet Labs

[Unbound-users] dnssec stripping not resulting in serv fail?

Paul Wouters
Mon Jan 10 14:26:15 CET 2011


On Mon, 10 Jan 2011, W.C.A. Wijngaards wrote:

> What was the query that servfailed?

There was nothing that servfailed, that was the point.

>  I can see in the logs that it is
> retrying xelerance.org queries (for A, AAAA and type RRSIG).  Because
> type RRSIG cannot be validated, you may have received a reply for that one.

Yes, I digged specifically for xelerance.org

> Could it be that your (Mac?) tried to fail over to another DNS server

no. It was Fedora Linux, resolv.conf not used at all

> even though you did not want that?  What you say about resolv.conf makes
> this unlikely, and you did a straight dig @127.0.0.1, I guess.

Yes.

>> I always restarted unbound fully.
>
> Good to know.
>
>> I did capture the logs, mailed to you offlist.
>
> Thanks!
>
> Did you notice these lines:
> remote control failed ssl crypto error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>
> Looks like some garbage connection to the unbound-control port.

I might have made some unbound-control command errors. I don't remember.

> It looks like you have a downstream validator, and this unbound does not
> have a lot of trust anchors?

It just had the root key.

> It has trust anchors, right?  I can see
> you editing trust anchor config earlier in the logs.

Yes, I had some syntax errors before i finally had the syntax right :)


>  The downstream
> validator seems to make DNSKEY and RRSIG queries.  And I see a lot of
> retries (due to DNSSEC failures?).

I guess?

> These logs are confusing, I see they are log level 4 or 5 or so, but
> they are missing stuff (such as the configured trust anchors printout at
> start).

I grepped for "unbound". I'll check the logs and see if some lines do not
contain that string.

Paul