Package: unbound
Version: 1.4.17-2
Severity: normal
If there is no internet access when unbound is started (which there isn't on
my server immediately after a reboot), then unbound logs:
Feb 1 18:19:23 alphonse unbound-anchor: /var/lib/unbound/root.key has content
Feb 1 18:19:23 alphonse unbound-anchor: fail: the anchor is NOT ok and could
not be fixed
Feb 1 18:19:23 alphonse unbound: [8860:0] notice: init module 0: validator
Feb 1 18:19:23 alphonse unbound: [8860:0] notice: init module 1: iterator
Feb 1 18:19:23 alphonse unbound: [8860:0] info: start of service (unbound
1.4.17).
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Feb 1 18:19:25 alphonse unbound: [8860:0] info: failed to prime trust anchor
-- could not fetch DNSKEY rrset . DNSKEY IN
Every query returns SERVFAIL even after internet access appears and even for
queries which are forwarded to a local server. Unbound has to be restarted
after internet access appears before it will work.
This is a significant problem as if there is no internet access when unbound
is started then there is no DNS at all for the local network until internet
access can be restored.
Thanks,
Roger
-- System Information:
Debian Release: 7.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'),
(500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages unbound depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii libevent-2.0-5 2.0.19-stable-3
ii libgcc1 1:4.7.2-5
ii libldns1 1.6.13-1
ii libpython2.7 2.7.3-6
ii libssl1.0.0 1.0.1c-4
ii openssl 1.0.1c-4
ii unbound-anchor 1.4.17-2
unbound recommends no packages.
unbound suggests no packages.
-- Configuration Files:
/etc/unbound/unbound.conf changed:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
statistics-interval: 86400
# print one line with time, IP, name, type, class for every query.
# log-queries: yes
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 2001:DB8::5
interface: 127.0.0.1
interface: 192.168.10.1
interface: 192.168.11.1
# specify the interfaces to send outgoing queries to authoritative
# server from by ip-address. If none, the default (all) interface
# is used. Specify every interface on a 'outgoing-interface:' line.
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
cache-min-ttl: 60
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 172800
# control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.10.0/23 allow
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
# use-caps-for-id: no
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 217.169.26.192/29
private-address: 217.169.0.202
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# private-domain: "example.com"
private-domain: "mydomain.co.uk"
# If nonzero, unwanted replies are not only reported in statistics,
# but also a running total is kept per thread. If it reaches the
# threshold, a warning is printed and a defensive action is taken,
# the cache is cleared to flush potential poison out of it.
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 1000000
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
# do-not-query-address: ::1
do-not-query-address: 192.168.0.0/16
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
do-not-query-localhost: no
# if yes, perform prefetching of almost expired message cache entries.
# prefetch: no
# if yes, perform key lookups adjacent to normal lookups.
prefetch-key: yes
local-zone: "168.192.in-addr.arpa" nodefault
# You can redirect a domain to a fixed address with
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
forward-zone:
name: "mydomain.co.uk"
forward-addr: 127.0.0.1@54
forward-zone:
name: "168.192.in-addr.arpa"
forward-addr: 127.0.0.1@54
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
