Bug 1560223
| Summary: | Regression: unbound unable to resolve when new WLAN connection is made | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dimitris <dimitris.on.linux> | ||||||||
| Component: | unbound | Assignee: | Paul Wouters <pwouters> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 27 | CC: | bjorn, cra, dimitris.on.linux, dominik, fedora, mrunge, pemensik, pj.pandit, pwouters, theo148 | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2018-06-11 17:40:47 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Dimitris
2018-03-25 00:38:12 UTC
please as a workaround, try setting aggressive-nsec: no in unbound.conf I get this with dnssec-trigger: Mar 26 01:00:16 gauge unbound-checkconf[1335]: unbound-checkconf: no errors in /etc/unbound/unbound.conf Mar 26 01:00:16 gauge unbound-anchor[1351]: [1522040416] libunbound[1351:0] error: can't bind socket: Permission denied for 0.0.0.0 Mar 26 01:00:16 gauge audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=unbound comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mar 26 01:00:16 gauge unbound[1372]: [1372:0] notice: init module 0: ipsecmod Mar 26 01:00:16 gauge unbound[1372]: [1372:0] notice: init module 1: validator Mar 26 01:00:16 gauge unbound[1372]: [1372:0] notice: init module 2: iterator Mar 26 01:00:16 gauge unbound[1372]: [1372:0] info: start of service (unbound 1.7.0). Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master k.root-servers.net Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master g.root-servers.net Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master f.root-servers.net Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master e.root-servers.net Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master c.root-servers.net Mar 26 01:00:16 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master b.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master k.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master g.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master f.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master e.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master c.root-servers.net Mar 26 01:00:19 gauge unbound[1372]: [1372:0] error: .: failed lookup, cannot probe to master b.root-servers.net Mar 26 01:00:25 gauge unbound[1372]: [1372:1] info: generate keytag query _ta-4a5c-4f66. NULL IN Mar 26 01:00:39 gauge unbound[1372]: [1372:1] info: generate keytag query _ta-4a5c-4f66. NULL IN Tried aggressive-nsec: no, didn't help. Same steps as description. Note for anyone trying this, save your old unbound.conf, as after distro-sync back to 1.6.8, unbound won't start due to encountering unknown stanzas in the config file that were introduced by 1.7. I'm attaching my 1.7 and 1.6.8 config files. Created attachment 1412968 [details]
unbound.conf under 1.6.8
Created attachment 1412969 [details]
unbound.conf under 1.7.0
FWIW, also running dnssec-triggerd here, and seeing the same as Charles: Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master k.root-servers.net Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master g.root-servers.net Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master f.root-servers.net Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master e.root-servers.net Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master c.root-servers.net Mar 25 22:33:46 vimes unbound[1318]: [1318:0] error: .: failed lookup, cannot probe to master b.root-servers.net Given that the failures above are for exactly the same zones as listed in the 1.7.0 config as auth-zones, this seems to be the cause of the problem: +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). The first example +# has a copy of the root for local usage. The second serves example.org +# authoritatively. zonefile: reads from file (and writes to it if you also +# download it), master: fetches with AXFR and IXFR, or url to zonefile. +auth-zone: + name: "." + for-downstream: no + for-upstream: yes + fallback-enabled: yes + master: b.root-servers.net + master: c.root-servers.net + master: e.root-servers.net + master: f.root-servers.net + master: g.root-servers.net + master: k.root-servers.net +# auth-zone: +# name: "example.org" +# for-downstream: yes +# for-upstream: yes +# zonefile: "example.org.zone" I confirmed that after commenting out the auth-zone: configuration that name resolution once again works. This is with aggressive-nsec: yes. I have a theory why it works for some people--maybe some people are using unbound as a forwarder to their ISP or router's DNS server, but with dnssec-trigger it is making direct DNS queries starting with the root-servers. Created attachment 1413755 [details]
unbound.conf under 1.7.0 with aggressive-nsec: yes and auth-zone: removed
Working unbound.conf under 1.7.0 with aggressive-nsec: yes and auth-zone: removed.
(In reply to Charles R. Anderson from comment #8) > I confirmed that after commenting out the auth-zone: configuration that name > resolution once again works. This is with aggressive-nsec: yes. I can confirm this behavior. When the "auth-zone:" part is commented out, name resolution works fine. With it being present in the config file (i.e. not commented out) it breaks. (In reply to Charles R. Anderson from comment #8) > I have a theory why it works for some people--maybe some people are using > unbound as a forwarder to their ISP or router's DNS server, but with > dnssec-trigger it is making direct DNS queries starting with the > root-servers. Is there an easy command you could provide to check this theory? According to Gnome-control-center, my DNS server is running at an address in the 192.168.0.0/16 range. $ nmcli […] DNS configuration: servers: 192.168.178.1 domains: fritz.box interface: wlp3s0 servers: fd00::eadf:70ff:fe4b:a52a interface: wlp3s0 […] 1.7.0-4.fc27 seems to fix this for me. Using default config installed by `dnf upgrade`. (In reply to Dimitris from comment #11) > 1.7.0-4.fc27 seems to fix this for me. Using default config installed by > `dnf upgrade`. +1, works for me too. |