Problem with NS editnew.net

Michael_MacNeill · June 10, 2014, 4:07pm

unbound is having issues with a particular domain and powerdns_recursor and bind both work fine.

Trying to lookup “bluebirdrvpark.ca”.

The authoritative hosts are “ns1.editnew.net” and “ns2.editnew.net”.

Unbound does not seem to like the answers it is getting from either of these name servers.
I’m not in control or contact with them.

I’ve tried unbound 1.4.21 on CentOS 6.5 and
unbound 1.4.22 on Ubuntu 14.04

dig @127.0.0.1 ns2.editnew.net

Jun 10 08:44:41 media2 unbound: [9321:0] info: start of service (unbound 1.4.22).
Jun 10 08:44:41 media2 unbound: [9321:1] info: 127.0.0.1 local. SOA IN
Jun 10 08:44:41 media2 unbound: [9321:1] info: resolving local. SOA IN
Jun 10 08:44:41 media2 unbound: [9321:1] info: priming . IN NS
Jun 10 08:44:42 media2 unbound: [9321:1] info: response for . NS IN
Jun 10 08:44:42 media2 unbound: [9321:1] info: reply from <.> 192.5.5.241#53
Jun 10 08:44:42 media2 unbound: [9321:1] info: query response was ANSWER
Jun 10 08:44:42 media2 unbound: [9321:1] info: priming successful for . NS IN
Jun 10 08:44:42 media2 unbound: [9321:1] info: response for local. SOA IN
Jun 10 08:44:42 media2 unbound: [9321:1] info: reply from <.> 193.0.14.129#53
Jun 10 08:44:42 media2 unbound: [9321:1] info: query response was NXDOMAIN ANSWER

Jun 10 08:44:52 media2 unbound: [9321:0] info: 127.0.0.1 ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: resolving ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: response for ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: reply from <.> 192.5.5.241#53
Jun 10 08:44:52 media2 unbound: [9321:0] info: query response was REFERRAL
Jun 10 08:44:52 media2 unbound: [9321:0] info: resolving net. DNSKEY IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: response for net. DNSKEY IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: reply from <net.> 192.35.51.30#53
Jun 10 08:44:52 media2 unbound: [9321:0] info: query response was ANSWER
Jun 10 08:44:52 media2 unbound: [9321:0] info: response for ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: reply from <net.> 192.54.112.30#53
Jun 10 08:44:52 media2 unbound: [9321:0] info: query response was REFERRAL
Jun 10 08:44:52 media2 unbound: [9321:0] info: resolving ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: resolving ns1.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: response for ns2.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: reply from <net.> 192.43.172.30#53
Jun 10 08:44:52 media2 unbound: [9321:0] info: query response was REFERRAL
Jun 10 08:44:52 media2 unbound: [9321:0] info: response for ns1.editnew.net. A IN
Jun 10 08:44:52 media2 unbound: [9321:0] info: reply from <net.> 192.42.93.30#53
Jun 10 08:44:52 media2 unbound: [9321:0] info: query response was REFERRAL
Jun 10 08:44:52 media2 unbound: [9321:0] info: resolving ns1.editnew.net. A IN
Jun 10 08:44:53 media2 unbound: [9321:0] info: response for ns1.editnew.net. A IN
Jun 10 08:44:53 media2 unbound: [9321:0] info: reply from <net.> 192.31.80.30#53
Jun 10 08:44:53 media2 unbound: [9321:0] info: query response was REFERRAL
Jun 10 08:44:53 media2 unbound: [9321:0] info: resolving ns2.editnew.net. A IN
Jun 10 08:44:53 media2 unbound: [9321:0] info: response for ns2.editnew.net. A IN
Jun 10 08:44:53 media2 unbound: [9321:0] info: reply from <net.> 192.33.14.30#53
Jun 10 08:44:53 media2 unbound: [9321:0] info: query response was REFERRAL

cat /etc/unbound/unbound.conf

server:
verbosity: 2
statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes
num-threads: 2
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
port: 53
outgoing-range: 4096
outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767
outgoing-num-tcp: 10
incoming-num-tcp: 10
so-rcvbuf: 8m
max-udp-size: 3072
msg-cache-size: 64m
msg-cache-slabs: 4
rrset-cache-size: 128m
rrset-cache-slabs: 4
infra-cache-slabs: 4
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 deny
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
chroot: “”
username: “unbound”
directory: “/etc/unbound”
use-syslog: yes
log-time-ascii: yes
log-queries: yes
pidfile: “/var/run/unbound.pid”
root-hints: “root.hints”
hide-identity: yes
hide-version: yes
harden-glue: no
harden-dnssec-stripped: no
harden-below-nxdomain: no
harden-referral-path: no
use-caps-for-id: no
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
unwanted-reply-threshold: 10000000
do-not-query-address: 127.0.0.1/8
do-not-query-address: ::1
do-not-query-localhost: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes

dlv-anchor-file: “/etc/unbound/dlv.isc.org.key”

trusted-keys-file: */etc/unbound/keys.d/**.key

auto-trust-anchor-file: “/var/lib/unbound/root.anchor”

val-clean-additional: yes
val-permissive-mode: yes
val-log-level: 2
key-cache-slabs: 4

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: “/etc/unbound/unbound_server.key”
server-cert-file: “/etc/unbound/unbound_server.pem”
control-key-file: “/etc/unbound/unbound_control.key”
control-cert-file: “/etc/unbound/unbound_control.pem”

wtoorop · June 11, 2014, 9:40am

Hi Michael,

I am not able to reproduce. I have used unbound on CentOS 6.5 with your
config, but with me ns2.editnew.net does resolve perfectly. Here is my
output for the same query

Jun 11 11:35:45 unbound: [-] info: start of service (unbound 1.4.21).
Jun 11 11:35:50 unbound: [-] info: 127.0.0.1 ns2.editnew.net. A IN
Jun 11 11:35:50 unbound: [-] info: resolving ns2.editnew.net. A IN
Jun 11 11:35:50 unbound: [-] info: priming . IN NS
Jun 11 11:35:50 unbound: [-] info: response for . NS IN
Jun 11 11:35:50 unbound: [-] info: reply from <.> 199.7.91.13#53
Jun 11 11:35:50 unbound: [-] info: query response was ANSWER
Jun 11 11:35:50 unbound: [-] info: priming successful for . NS IN
Jun 11 11:35:51 unbound: [-] info: response for ns2.editnew.net. A IN
Jun 11 11:35:51 unbound: [-] info: reply from <.> 192.36.148.17#53
Jun 11 11:35:51 unbound: [-] info: query response was REFERRAL
Jun 11 11:35:51 unbound: [-] info: resolving net. DNSKEY IN
Jun 11 11:35:51 unbound: [-] info: response for net. DNSKEY IN
Jun 11 11:35:51 unbound: [-] info: reply from <net.> 192.26.92.30#53
Jun 11 11:35:51 unbound: [-] info: query response was ANSWER
Jun 11 11:35:51 unbound: [-] info: response for ns2.editnew.net. A IN
Jun 11 11:35:51 unbound: [-] info: reply from <net.> 192.35.51.30#53
Jun 11 11:35:51 unbound: [-] info: query response was REFERRAL
Jun 11 11:35:51 unbound: [-] info: response for ns2.editnew.net. A IN
Jun 11 11:35:51 unbound: [-] info: reply from <editnew.net.>
192.254.140.103#53
Jun 11 11:35:51 unbound: [-] info: query response was ANSWER

Could you run unbound-host -d ns2.editnew.net and send us the output?
Thanks,

-- Willem

op 10-06-14 18:07, Michael MacNeill schreef:

Michael_MacNeill · June 11, 2014, 1:24pm

Thank you Willem, unbound-host was extremely useful in tracking down this problem.

my first test with it came up with the correct answer with no problem.
unbound-host -d ns2.editnew.net

I then figured out that I could use the same configuration as the daemon
unbound-host -C unbound.conf -d ns2.editnew.net

and it failed. so something in the config file.
comment and retry until success.
that is when I discovered my giant brain fart.

When I set dns server up I grabbed a full featured config from somewhere.

I'm not sure where I got it, but you can see it here:
https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143

it includes the lines:
     # Enforce privacy of these addresses. Strips them away from answers.
     # It may cause DNSSEC validation to additionally mark it as bogus.
     # Protects against 'DNS Rebinding' (uses browser as network proxy).
     # Only 'private-domain' and 'local-data' names are allowed to have
     # these private addresses. No default.
     # private-address: 10.0.0.0/8
     # private-address: 172.16.0.0/12
     # private-address: 192.168.0.0/16
     # private-address: 192.254.0.0/16
     # private-address: fd00::/8
     # private-address: fe80::/10

and I uncommented them all. Except that
* # private-address: 192.254.0.0/16**
***is not a private address space. and is in fact part of the address space used by ns2.editnew.net

so using private-address is an effective way to black hole an IP address range.

thanks for all the help.

MM

Leen_Besselink · June 11, 2014, 1:43pm

Thank you Willem, unbound-host was extremely useful in tracking down
this problem.

my first test with it came up with the correct answer with no problem.
  unbound-host -d ns2.editnew.net

I then figured out that I could use the same configuration as the daemon
  unbound-host -C unbound.conf -d ns2.editnew.net

and it failed. so something in the config file.
comment and retry until success.
that is when I discovered my giant brain fart.

When I set dns server up I grabbed a full featured config from somewhere.

I'm not sure where I got it, but you can see it here:
https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143

it includes the lines:
    # Enforce privacy of these addresses. Strips them away from answers.
    # It may cause DNSSEC validation to additionally mark it as bogus.
    # Protects against 'DNS Rebinding' (uses browser as network proxy).
    # Only 'private-domain' and 'local-data' names are allowed to have
    # these private addresses. No default.
    # private-address: 10.0.0.0/8
    # private-address: 172.16.0.0/12
    # private-address: 192.168.0.0/16
    # private-address: 192.254.0.0/16
    # private-address: fd00::/8
    # private-address: fe80::/10

and I uncommented them all. Except that
* # private-address: 192.254.0.0/16**
***is not a private address space. and is in fact part of the
address space used by ns2.editnew.net

That is pretty scary, blocking large parts of the Internet.

That should have been:
169.254.0.0/16

Which is the IPv4 link-local address range.

Over_Dexia · June 11, 2014, 6:09pm

This inspired me to play around with unbound-host a little.

When I used the following command line under Debian 7.4, unbound-host
version 1.4.17, I got an access violation:

unbound-host -v -4 -d -d -r -C /etc/unbound/unbound.conf xy

Thgougt you might be interested. I can trace and dig deeper into this,
if you can't reproduce it easily with this info.

regards, jo

Robert_Edmonds · June 11, 2014, 6:39pm

Over Dexia wrote:

>
> Thank you Willem, unbound-host was extremely useful in tracking down
> this problem.

This inspired me to play around with unbound-host a little.

When I used the following command line under Debian 7.4, unbound-host
version 1.4.17, I got an access violation:

unbound-host -v -4 -d -d -r -C /etc/unbound/unbound.conf xy

Thgougt you might be interested. I can trace and dig deeper into this,
if you can't reproduce it easily with this info.

On Debian, the default /etc/unbound/unbound.conf sets
auto-trust-anchor-file in order to do DNSSEC validation, so you probably
got an error message like:

    [...]
    [1402511733] libunbound[29960:0] error: could not open autotrust file for writing, /var/lib/unbound/root.key.29960-0: Permission denied
    [...]

Which is expected, since unprivileged users should not be able to write
to /var/lib/unbound. Probably the same config file should not be used
for both the system's unbound daemon and an unbound-host invocation.

Over_Dexia · June 12, 2014, 10:33am

Hello Robert,

On Debian, the default /etc/unbound/unbound.conf sets
auto-trust-anchor-file in order to do DNSSEC validation, so you probably
got an error message like:

    [...]
    [1402511733] libunbound[29960:0] error: could not open autotrust file for writing, /var/lib/unbound/root.key.29960-0: Permission denied
    [...]

No, the auto-trust-anchor-file directive is commented out in my conf
(can't use it with that domain) and I don't get an error like that.
The unbound-host is crashing with a segmentation fault (my translation
to "access violation" was incorrect) and the last lines of the log are:

Jun 12 11:51:19 libunbound[13639:0] debug: Forward zone server list:
Jun 12 11:51:19 libunbound[13639:0] info: DelegationPoint<www.xy.de.>: 0
names (0 missing), 2 addrs (0 result, 2 avail) parentNS
Jun 12 11:51:19 libunbound[13639:0] error: duplicate forward zone ignored.
Jun 12 11:51:19 libunbound[13639:0] debug: Forward zone server list:

Funny enough, the segfault seems to be happening while writing the log.
A trace is further down. I'd say it happens when libunbound is trying to
put out the Forward zone server list.

regards, jo

open("/var/log/unbound.log", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE,
0666) = 7
fstat64(7, {st_mode=S_IFREG|0644, st_size=4530415, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb77a0000
fstat64(7, {st_mode=S_IFREG|0644, st_size=4530415, ...}) = 0
_llseek(7, 4530415, [4530415], SEEK_SET) = 0
time(NULL) = 1402567297
open("/etc/localtime", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
fstat64(8, {st_mode=S_IFREG|0644, st_size=2309, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb779f000
read(8,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"...,
4096) = 2309
_llseek(8, -28, [2281], SEEK_CUR) = 0
read(8, "\nCET-1CEST,M3.5.0,M10.5.0/3\n", 4096) = 28
close(8) = 0
munmap(0xb779f000, 4096) = 0
write(7, "Jun 12 12:01:37 libunbound[13944"..., 79) = 79
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 69) = 69
brk(0x85a0000) = 0x85a0000
brk(0x8590000) = 0x8590000
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 68) = 68
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 80) = 80
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 80) = 80
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 80) = 80
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 80) = 80
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 80) = 80
brk(0x85b2000) = 0x85b2000
brk(0x85d4000) = 0x85d4000
brk(0x85f6000) = 0x85f6000
brk(0x8618000) = 0x8618000
brk(0x8639000) = 0x8639000
brk(0x865a000) = 0x865a000
brk(0x867c000) = 0x867c000
brk(0x86a7000) = 0x86a7000
brk(0x8697000) = 0x8697000
brk(0x86b9000) = 0x86b9000
brk(0x86b5000) = 0x86b5000
brk(0x86a5000) = 0x86a5000
brk(0x86c7000) = 0x86c7000
brk(0x86c3000) = 0x86c3000
brk(0x86b3000) = 0x86b3000
brk(0x86d5000) = 0x86d5000
brk(0x86c3000) = 0x86c3000
brk(0x86e4000) = 0x86e4000
brk(0x86d0000) = 0x86d0000
brk(0x86f2000) = 0x86f2000
brk(0x86de000) = 0x86de000
brk(0x8700000) = 0x8700000
brk(0x86fc000) = 0x86fc000
brk(0x86ec000) = 0x86ec000
brk(0x870e000) = 0x870e000
brk(0x870a000) = 0x870a000
brk(0x86fa000) = 0x86fa000
brk(0x871c000) = 0x871c000
brk(0x8708000) = 0x8708000
brk(0x872a000) = 0x872a000
brk(0x8724000) = 0x8724000
brk(0x8714000) = 0x8714000
brk(0x8736000) = 0x8736000
brk(0x8732000) = 0x8732000
brk(0x8722000) = 0x8722000
brk(0x8744000) = 0x8744000
brk(0x8730000) = 0x8730000
brk(0x8752000) = 0x8752000
brk(0x874e000) = 0x874e000
brk(0x873e000) = 0x873e000
brk(0x8760000) = 0x8760000
brk(0x874c000) = 0x874c000
brk(0x876e000) = 0x876e000
brk(0x875a000) = 0x875a000
brk(0x877c000) = 0x877c000
brk(0x8768000) = 0x8768000
brk(0x878a000) = 0x878a000
brk(0x8776000) = 0x8776000
brk(0x8798000) = 0x8798000
brk(0x8784000) = 0x8784000
brk(0x87a6000) = 0x87a6000
brk(0x87a0000) = 0x87a0000
brk(0x8790000) = 0x8790000
brk(0x87b2000) = 0x87b2000
brk(0x879e000) = 0x879e000
brk(0x87c0000) = 0x87c0000
brk(0x87ac000) = 0x87ac000
brk(0x87ce000) = 0x87ce000
brk(0x87ca000) = 0x87ca000
brk(0x87ba000) = 0x87ba000
brk(0x87dc000) = 0x87dc000
brk(0x87d8000) = 0x87d8000
brk(0x87c8000) = 0x87c8000
brk(0x87ea000) = 0x87ea000
brk(0x87e6000) = 0x87e6000
brk(0x87d6000) = 0x87d6000
brk(0x87f8000) = 0x87f8000
brk(0x87e4000) = 0x87e4000
brk(0x8806000) = 0x8806000
brk(0x87f2000) = 0x87f2000
brk(0x8814000) = 0x8814000
brk(0x8810000) = 0x8810000
brk(0x8800000) = 0x8800000
brk(0x8822000) = 0x8822000
brk(0x880e000) = 0x880e000
brk(0x8830000) = 0x8830000
brk(0x881c000) = 0x881c000
brk(0x883e000) = 0x883e000
brk(0x882a000) = 0x882a000
brk(0x884c000) = 0x884c000
brk(0x8848000) = 0x8848000
brk(0x8838000) = 0x8838000
brk(0x885a000) = 0x885a000
brk(0x8856000) = 0x8856000
brk(0x8846000) = 0x8846000
brk(0x8868000) = 0x8868000
brk(0x8854000) = 0x8854000
brk(0x8876000) = 0x8876000
brk(0x8872000) = 0x8872000
brk(0x8862000) = 0x8862000
brk(0x8884000) = 0x8884000
brk(0x8880000) = 0x8880000
brk(0x8870000) = 0x8870000
brk(0x8892000) = 0x8892000
brk(0x887e000) = 0x887e000
brk(0x88a0000) = 0x88a0000
brk(0x888c000) = 0x888c000
brk(0x88ae000) = 0x88ae000
brk(0x88a8000) = 0x88a8000
brk(0x8898000) = 0x8898000
brk(0x88ba000) = 0x88ba000
brk(0x88b6000) = 0x88b6000
brk(0x88a6000) = 0x88a6000
brk(0x88c8000) = 0x88c8000
brk(0x88c4000) = 0x88c4000
brk(0x88b4000) = 0x88b4000
brk(0x88d6000) = 0x88d6000
brk(0x88d2000) = 0x88d2000
brk(0x88c2000) = 0x88c2000
brk(0x88e4000) = 0x88e4000
brk(0x88d0000) = 0x88d0000
brk(0x88f2000) = 0x88f2000
brk(0x88ee000) = 0x88ee000
brk(0x88de000) = 0x88de000
brk(0x8900000) = 0x8900000
brk(0x88fc000) = 0x88fc000
brk(0x88ec000) = 0x88ec000
brk(0x890e000) = 0x890e000
brk(0x88fa000) = 0x88fa000
brk(0x891c000) = 0x891c000
brk(0x8918000) = 0x8918000
brk(0x8908000) = 0x8908000
brk(0x892a000) = 0x892a000
brk(0x8916000) = 0x8916000
brk(0x8938000) = 0x8938000
brk(0x8934000) = 0x8934000
brk(0x8924000) = 0x8924000
brk(0x8946000) = 0x8946000
brk(0x8942000) = 0x8942000
brk(0x8932000) = 0x8932000
brk(0x8954000) = 0x8954000
brk(0x8940000) = 0x8940000
brk(0x8962000) = 0x8962000
brk(0x894e000) = 0x894e000
brk(0x8970000) = 0x8970000
brk(0x895c000) = 0x895c000
brk(0x897e000) = 0x897e000
brk(0x897a000) = 0x897a000
brk(0x896a000) = 0x896a000
brk(0x898b000) = 0x898b000
brk(0x8976000) = 0x8976000
brk(0x8997000) = 0x8997000
brk(0x8982000) = 0x8982000
brk(0x89a3000) = 0x89a3000
brk(0x898e000) = 0x898e000
brk(0x89af000) = 0x89af000
brk(0x899a000) = 0x899a000
brk(0x89bb000) = 0x89bb000
brk(0x89a6000) = 0x89a6000
brk(0x89c7000) = 0x89c7000
brk(0x89b2000) = 0x89b2000
brk(0x89d3000) = 0x89d3000
brk(0x89be000) = 0x89be000
brk(0x89df000) = 0x89df000
brk(0x89cb000) = 0x89cb000
brk(0x89ed000) = 0x89ed000
brk(0x89d9000) = 0x89d9000
brk(0x89fb000) = 0x89fb000
brk(0x89e7000) = 0x89e7000
brk(0x8a09000) = 0x8a09000
brk(0x89f5000) = 0x89f5000
brk(0x8a17000) = 0x8a17000
brk(0x8a03000) = 0x8a03000
brk(0x8a25000) = 0x8a25000
brk(0x8a11000) = 0x8a11000
brk(0x8a33000) = 0x8a33000
brk(0x8a1f000) = 0x8a1f000
brk(0x8a41000) = 0x8a41000
brk(0x8a2d000) = 0x8a2d000
brk(0x8a4f000) = 0x8a4f000
brk(0x8a3b000) = 0x8a3b000
brk(0x8a5d000) = 0x8a5d000
brk(0x8a49000) = 0x8a49000
brk(0x8a6b000) = 0x8a6b000
brk(0x8a57000) = 0x8a57000
brk(0x8a79000) = 0x8a79000
brk(0x8a73000) = 0x8a73000
brk(0x8a63000) = 0x8a63000
brk(0x8a85000) = 0x8a85000
brk(0x8a71000) = 0x8a71000
brk(0x8a93000) = 0x8a93000
brk(0x8a8f000) = 0x8a8f000
brk(0x8a7f000) = 0x8a7f000
brk(0x8aa1000) = 0x8aa1000
brk(0x8a9d000) = 0x8a9d000
brk(0x8a8d000) = 0x8a8d000
brk(0x8aaf000) = 0x8aaf000
brk(0x8aab000) = 0x8aab000
brk(0x8a9b000) = 0x8a9b000
brk(0x8abd000) = 0x8abd000
brk(0x8aa9000) = 0x8aa9000
brk(0x8acb000) = 0x8acb000
brk(0x8ac7000) = 0x8ac7000
brk(0x8ab7000) = 0x8ab7000
brk(0x8ad9000) = 0x8ad9000
brk(0x8ac5000) = 0x8ac5000
brk(0x8ae7000) = 0x8ae7000
brk(0x8ad3000) = 0x8ad3000
brk(0x8af5000) = 0x8af5000
brk(0x8ae1000) = 0x8ae1000
brk(0x8b03000) = 0x8b03000
brk(0x8aef000) = 0x8aef000
brk(0x8b11000) = 0x8b11000
brk(0x8afd000) = 0x8afd000
brk(0x8b1f000) = 0x8b1f000
brk(0x8b1b000) = 0x8b1b000
brk(0x8b0b000) = 0x8b0b000
brk(0x8b2d000) = 0x8b2d000
brk(0x8b29000) = 0x8b29000
brk(0x8b19000) = 0x8b19000
brk(0x8b3b000) = 0x8b3b000
brk(0x8b27000) = 0x8b27000
brk(0x8b49000) = 0x8b49000
brk(0x8b45000) = 0x8b45000
brk(0x8b35000) = 0x8b35000
brk(0x8b57000) = 0x8b57000
brk(0x8b43000) = 0x8b43000
brk(0x8b65000) = 0x8b65000
brk(0x8b51000) = 0x8b51000
brk(0x8b73000) = 0x8b73000
brk(0x8b6f000) = 0x8b6f000
brk(0x8b5f000) = 0x8b5f000
brk(0x8b81000) = 0x8b81000
brk(0x8b6d000) = 0x8b6d000
brk(0x8b8f000) = 0x8b8f000
brk(0x8b7b000) = 0x8b7b000
brk(0x8b9d000) = 0x8b9d000
brk(0x8b99000) = 0x8b99000
brk(0x8b89000) = 0x8b89000
brk(0x8bad000) = 0x8bad000
brk(0x8bd1000) = 0x8bd1000
brk(0x8c01000) = 0x8c01000
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 69) = 69
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 120) = 120
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 69) = 69
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 132) = 132
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 75) = 75
time(NULL) = 1402567297
write(7, "Jun 12 12:01:37 libunbound[13944"..., 69) = 69
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

Yuri_Schaeffer · June 13, 2014, 8:19am

Hi Jo,

When I used the following command line under Debian 7.4,
unbound-host version 1.4.17, I got an access violation:
unbound-host -v -4 -d -d -r -C /etc/unbound/unbound.conf xy Thgougt
you might be interested. I can trace and dig deeper into this, if
you can't reproduce it easily with this info.

I have not been able to reproduce it. Could you share your
configuration file (off list)?

Regards,
Yuri

Yuri_Schaeffer · June 17, 2014, 12:15pm

Hi Jo,

unbound-host -v -4 -d -d -r -C /etc/unbound/unbound.conf xy

I've passed your configuration file to Wouter. The cause is the -r
option which reads the /etc/resolv.conf and use its contents as a
forwarder for ".", hence you have a duplicate.

The problem seems to be indeed the logging. In release 1.4.20 was a
change touching this specific code. It is likely this fixed the bug,
we could not reproduce it with the current release.

Also, in your conf you have 'outgoing-interface: 127.0.0.1'. This is
probably not what you want as you have no route to the outside world
on that interface. It may cause performance problems.

Regards,
Yuri

Over_Dexia · June 17, 2014, 2:09pm

Hello Yuri,

Hi Jo,

unbound-host -v -4 -d -d -r -C /etc/unbound/unbound.conf xy

I've passed your configuration file to Wouter. The cause is the -r
option which reads the /etc/resolv.conf and use its contents as a
forwarder for ".", hence you have a duplicate.

I see. I needed to pass the resolv.conf to have unbound know about the
domain lists (I thought).

Also, in your conf you have 'outgoing-interface: 127.0.0.1'. This
is probably not what you want as you have no route to the outside
world on that interface. It may cause performance problems.

This is by design. Unbound is in front of an nsd on the same host
responsible for resolving a domain.
Therefore I have following, too:

stub-zone:
name: xy.de
stub-addr: 127.0.0.1@58

I thought to be able to access this, I'd need the outgoing-interface
127.0.0.1, too. Wrong?

Thanks for your insight and best regards, JO

Sonic · June 17, 2014, 7:38pm

You do not need 'outgoing-interface: 127.0.0.1' in this case. At least
I've never needed it and have run several similar setups.