-
-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to resolve .eu TLD #1044
Comments
From looking at the logs, it seems that the issue is that Unbound is configured to DNSSEC validate. The .eu DNSKEY is too large to fit in a UDP response. UDP responses work fine, but the TCP response fails with a timeout. This happens again and again, until you give up. Perhaps the firewall is set to allow UDP but not TCP traffic? TCP traffic does not get answers, and this is why the resolution fails, it works but the DNSSEC verification fails to fetch the .eu DNSKEY RRset because it is large and needs to use TCP for transport, and TCP traffic fails with timeout. Unbound tries several of the upstream forwarders that are configured. |
Well, disabling DNSSEC validation per this page in the docs does in fact make it work again. I also tried disabling all rules in iptables and the firewall on my modem, neither seemed to matter. I also have no trouble setting up any other TCP connections, and it seems to be relatively recent development (it started around the beginning of this week). Do you know if there's a reliable way to test if this is a firewall issue of some kind? |
Supposedly when Unbound makes a TCP connection, this is very similar to performing a |
|
If it works like that then why can Unbound not do it? It is really doing the same thing; unless you use configuration options like outgoing-interface, or socket options, or TLS settings. |
Are there any updates on this? I am also having this issue under NixOS 24.05 |
Any updates? Same here in a docker container. |
Perhaps the dig that was tried did not attempt to fetch the large response, the .eu DNSKEY query. And that is why it succeeded, instead of failed. I guess it is the tcp configuration that fails, it would explain the issue. With log-servfail or val-log-level: 2 it could be shown that it is the dnskey lookup that fails. Or what fails is the UDP large response, and without any TCP indication from upstream unbound does not try tcp either, even if that would work. And then the .eu DNSKEY lookup is the issue, from UDP size. If the |
@wcawijngaards I'm willing to test/troubleshoot stuff, but I'm not smart enough to figure out the steps I can take by myself. Do you have any suggestions? Something that can rule out certain things, for example? |
Note that eu has a problem with DNSSEC. See https://dnssec-analyzer.verisignlabs.com/xn--qxa6a and https://dnsviz.net/d/xn--qxa6a/dnssec/ |
Describe the bug
Unbound is unable to resolve domains for the .eu TLD. The dig command fails with timeouts. It works fine for other TLDs but not for any .eu-domain that I tested.
To reproduce
Steps to reproduce the behavior:
Expected behavior
A proper result instead of a timeout.
System:
unbound -V
output:Additional information
I'm running on a Raspberry Pi. This is the command output when testing:
This was the log produced:
unbound.log
Relevant config files (uploaded as .txt because github doesn't like .conf):
unbound.conf.txt
pi-hole.conf.txt
resolvconf_resolvers.conf.txt
remote-control.conf.txt
root-auto-trust-anchor-file.conf.txt
The text was updated successfully, but these errors were encountered: