Project

General

Profile

Actions
Copy link

Bug #12059

closed

After about an hour DNSSEC lookups start to fail

Added by Keith Owen about 4 years ago. Updated about 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
06/18/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
amd64

Description

After a fresh restart of the server or just unbound everything works great, in the below log paste I used idrive.com. After about an hour I start getting failed lookups and errors in the log but only on some sites, which seem to be using DNSSEC. The only way to get everything working again is to reboot the firewall or the unbound service. This started happening when I upgraded to 2.5.1-RELEASE, everything was working great on the previous release and no config has changed since the upgrade.

This is after a restart, successful lookup.

Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <com.> 192.35.51.30#53
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <com.> 192.35.51.30#53
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <com.> 192.35.51.30#53
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <com.> 192.12.94.30#53
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: query response was ANSWER
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: resolving idrive.com. DS IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. DS IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <com.> 192.54.112.30#53
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: query response was REFERRAL
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: resolving ns-1858.awsdns-40.co.uk. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: resolving ns-1261.awsdns-29.org. A IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: response for idrive.com. DS IN
Jun 17 13:21:08 MyGate unbound81148: [81148:1] info: reply from <idrive.com.> 205.251.194.106#53

This is after about an hour, failed lookup

Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: response for idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: reply from <com.> 192.26.92.30#53
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: response for idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: reply from <com.> 192.42.93.30#53
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: query response REC_LAME: recursive but not authoritative server
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: mark as REC_LAME
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: DS response was error, thus bogus
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: response for idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: reply from <com.> 192.52.178.30#53
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: resolving idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: response for idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: reply from <com.> 192.35.51.30#53
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: query response REC_LAME: recursive but not authoritative server
Jun 17 11:14:35 MyGate unbound81148: [81148:0] info: mark as REC_LAME
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: response for idrive.com. DS IN
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: reply from <com.> 192.12.94.30#53
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: query response REC_LAME: recursive but not authoritative server
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: mark as REC_LAME
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: DS response was error, thus bogus
Jun 17 11:14:35 MyGate unbound81148: [81148:1] info: Could not establish a chain of trust to keys for idrive.com. DNSKEY IN

Thank you

Files

unbound log.rtf (161 KB) unbound log.rtf Keith Owen, 06/18/2021 12:07 PM
Actions
Copy link
 #1

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Rejected

There isn't enough information to definitively identify this as a bug, and this site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link

Also available in: Atom PDF