On Mon, 10 Jan 2011, W.C.A. Wijngaards wrote: > What was the query that servfailed? There was nothing that servfailed, that was the point. > I can see in the logs that it is > retrying xelerance.org queries (for A, AAAA and type RRSIG). Because > type RRSIG cannot be validated, you may have received a reply for that one. Yes, I digged specifically for xelerance.org > Could it be that your (Mac?) tried to fail over to another DNS server no. It was Fedora Linux, resolv.conf not used at all > even though you did not want that? What you say about resolv.conf makes > this unlikely, and you did a straight dig @127.0.0.1, I guess. Yes. >> I always restarted unbound fully. > > Good to know. > >> I did capture the logs, mailed to you offlist. > > Thanks! > > Did you notice these lines: > remote control failed ssl crypto error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > Looks like some garbage connection to the unbound-control port. I might have made some unbound-control command errors. I don't remember. > It looks like you have a downstream validator, and this unbound does not > have a lot of trust anchors? It just had the root key. > It has trust anchors, right? I can see > you editing trust anchor config earlier in the logs. Yes, I had some syntax errors before i finally had the syntax right :) > The downstream > validator seems to make DNSKEY and RRSIG queries. And I see a lot of > retries (due to DNSSEC failures?). I guess? > These logs are confusing, I see they are log level 4 or 5 or so, but > they are missing stuff (such as the configured trust anchors printout at > start). I grepped for "unbound". I'll check the logs and see if some lines do not contain that string. Paul