Cannot resolve the MX for bk.bund.de using unbound

Ralf_Hildebrandt · December 12, 2012, 8:54pm

I cannot see why this doesn't work here on mail.charite.de or
mail2.charite.de:

root@mail2:~# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59991
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bk.bund.de. IN MX

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 12 21:52:22 2012
;; MSG SIZE rcvd: 28

SERVFAIL? But why?

# netstat -tulpen |grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 0 8509391 10826/unbound
tcp6 0 0 ::1:53 :::* LISTEN 0 8509389 10826/unbound
udp 0 0 127.0.0.1:53 0.0.0.0:* 0 8509390 10826/unbound
udp6 0 0 ::1:53 :::* 0 8509388 10826/unbound

# ps auxwww|grep unbound
unbound 10826 0.1 0.6 65516 18856 ? Ss 20:34 0:07 /usr/sbin/unbound

ii libunbound2 1.4.16-1 library implementing DNS resolution and validation
ii unbound 1.4.16-1 validating, recursive, caching DNS resolver
ii unbound-anchor 1.4.16-1 utility to securely fetch the root DNS trust anchor

# lsb_release -a
No LSB modules are available.
Distributor ID:Ubuntu
Description:Ubuntu 12.04.1 LTS
Release:12.04
Codename:precise

user20 · December 12, 2012, 10:08pm

Zitat von Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:

I cannot see why this doesn't work here on mail.charite.de or
mail2.charite.de:

root@mail2:~# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59991
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bk.bund.de. IN MX

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 12 21:52:22 2012
;; MSG SIZE rcvd: 28

SERVFAIL? But why?

Good question, works fine here

; <<>> DiG 9.7.0-P1 <<>> @127.0.0.1 bk.bund.de MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2611
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6

;; QUESTION SECTION:
;bk.bund.de. IN MX

;; ANSWER SECTION:
bk.bund.de. 21251 IN MX 10 mx1.bund.de.
bk.bund.de. 21251 IN MX 10 mx2.bund.de.

;; AUTHORITY SECTION:
bund.de. 17030 IN NS bamberg.bund.de.
bund.de. 17030 IN NS xenon.bund.de.
bund.de. 17030 IN NS argon.bund.de.
bund.de. 17030 IN NS dns-1.dfn.de.
bund.de. 17030 IN NS nuernberg.bund.de.

;; ADDITIONAL SECTION:
mx1.bund.de. 551 IN A 77.87.224.163
mx2.bund.de. 551 IN A 77.87.228.110
argon.bund.de. 17030 IN A 77.87.224.18
xenon.bund.de. 17030 IN A 77.87.224.71
bamberg.bund.de. 17030 IN A 77.87.228.36
nuernberg.bund.de. 17030 IN A 77.87.228.37

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 12 23:04:29 2012
;; MSG SIZE rcvd: 274

Maybe a reply size/EDNS problem? What does "dig +short rs.dns-oarc.net txt" tell you?

Regards

Andreas

PaulWouters · December 12, 2012, 11:35pm

It looks like their RRSIGs got resigned today, so perhaps there were
expired or not-yet valid RRSIGs? Or a botched key rollover?

It seems to work fine now.

Paul

Ralf_Hildebrandt · December 13, 2012, 9:12am

>Good question, works fine here

It looks like their RRSIGs got resigned today, so perhaps there were
expired or not-yet valid RRSIGs? Or a botched key rollover?

It seems to work fine now.

I'm still having problems:

root@mail2:~# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48547
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bk.bund.de. IN MX

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 13 10:12:01 2012
;; MSG SIZE rcvd: 28

How can I debug this further?

Wouter · December 13, 2012, 9:28am

Hi Ralf,

Good question, works fine here

It looks like their RRSIGs got resigned today, so perhaps there
were expired or not-yet valid RRSIGs? Or a botched key rollover?

It seems to work fine now.

I'm still having problems:

root@mail2:~# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de ; (1 server
found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
opcode: QUERY, status: SERVFAIL, id: 48547 ;; flags: qr rd ra;
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;bk.bund.de. IN MX

;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
Thu Dec 13 10:12:01 2012 ;; MSG SIZE rcvd: 28

How can I debug this further?

If you do dnssec validation, set the val-log-level: 2 in unbound.conf.
Then it prints detailed errors about what goes wrong (and reload or
restart unbound).

You can get diagnostics out of unbound-control. With lookup bund.de
and dump_infra | grep <ip of bund.de nameservers that you saw in lookup>

If it still fails, increase the verbosity level to gain more information.

Best regards,
Wouter

Ralf_Hildebrandt · December 13, 2012, 9:41am

If you do dnssec validation, set the val-log-level: 2 in unbound.conf.
Then it prints detailed errors about what goes wrong (and reload or
restart unbound).

Excellent. For the time being I disabled dnssec validation and I get:
# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13543
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 8

;; QUESTION SECTION:
;bk.bund.de.INMX

;; ANSWER SECTION:
bk.bund.de. 12583 IN MX 10 mx2.bund.de.
bk.bund.de. 12583 IN MX 10 mx1.bund.de.
...

You can get diagnostics out of unbound-control. With lookup bund.de
and dump_infra | grep <ip of bund.de nameservers that you saw in lookup>

If it still fails, increase the verbosity level to gain more information.

I'll play around a bit now.

user20 · December 13, 2012, 9:58am

Zitat von Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:

If you do dnssec validation, set the val-log-level: 2 in unbound.conf.
Then it prints detailed errors about what goes wrong (and reload or
restart unbound).

Excellent. For the time being I disabled dnssec validation and I get:
# dig @127.0.0.1 -t mx bk.bund.de

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 -t mx bk.bund.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13543
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 8

;; QUESTION SECTION:
;bk.bund.de.INMX

;; ANSWER SECTION:
bk.bund.de. 12583 IN MX 10 mx2.bund.de.
bk.bund.de. 12583 IN MX 10 mx1.bund.de.
...

As said have a look if you have problems with DNS reply sizes >512bytes. The DNSSEC enabled answer for bk.bund.de is ~2000bytes which might get you in trouble with firewalls and other "smart" traffic filters.

Regards

Andreas