On 02/02/13 20:07, Robert Edmonds wrote: > Robert Edmonds wrote: >> Roger Lynn wrote: >> > Every query returns SERVFAIL even after internet access appears and even >> > for >> > queries which are forwarded to a local server. Unbound has to be restarted >> > after internet access appears before it will work. >> > >> > This is a significant problem as if there is no internet access when >> > unbound >> > is started then there is no DNS at all for the local network until internet >> > access can be restored. >> >> i agree, that's definitely an issue. it looks like there might have >> been some relevant fixes in unbound 1.4.19, do you think you could >> install unbound 1.4.19-1 from unstable and see if it behaves any better? >> i believe the dependencies are all the same, so you ought to be able to >> just pin the unbound packages from unstable. > > by the way, i believe you can set the "domain-insecure" option on your > local domains in order to prevent DNSSEC failures from impacting the > resolution of those domains.
I've tested this again this after adding 'domain-insecure: "mydomain.co.uk"' to the configuration and upgrading to 1.4.17-3 from Testing. I still get the following lines logged after a starting with no internet access: Feb 22 18:25:34 alphonse unbound-anchor: /var/lib/unbound/root.key has content Feb 22 18:25:34 alphonse unbound-anchor: fail: the anchor is NOT ok and could not be fixed Feb 22 18:25:35 alphonse unbound: [3910:0] notice: init module 0: validator Feb 22 18:25:35 alphonse unbound: [3910:0] notice: init module 1: iterator Feb 22 18:25:35 alphonse unbound: [3910:0] info: start of service (unbound 1.4.17). But I no longer get the lines about "failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN". Resolution of local domains now works, presumably because of the addition of the "domain-insecure" option. When an internet connection is established then all DNS requests work as normal, without having to restart unbound, so this problem seems to have gone away. I don't understand why, as the changelog suggests an unrelated minor update. As I am no longer able to reproduce the original problem I am happy for this bug to be closed, unless you think there is a need for further investigation. Thank you for your time, Roger -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
