From owner-freebsd-bugs@freebsd.org Sat Jul 25 14:11:33 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A027D9AAF68 for ; Sat, 25 Jul 2015 14:11:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 85B401FE2 for ; Sat, 25 Jul 2015 14:11:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6PEBXNN047694 for ; Sat, 25 Jul 2015 14:11:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 196138] Unbound fails with 2(SERVFAIL) when behind NAT Date: Sat, 25 Jul 2015 14:11:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: christop@physik.tu-berlin.de X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jul 2015 14:11:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196138 --- Comment #3 from christop@physik.tu-berlin.de --- Yes and no. No, because the default installation fails. I booted FreeBSD-10.2-PRERELEASE-amd64-20150704-r285132-bootonly.iso and made an network install. Unbound is of version 1.4.22. I do not think this a problem with the unbound software, but with the unbound configuration or DNSSEC in general. In the default configuration with dnssec unbound tries to get the DNSSEC public keys from the upstream nameserver, but the upstram nameserver does not deliver. Without public keys unbound cannot do validate the domain and fails. This behaviour is correct, because otherwise any attacker could disable DNSSEC. Yes, when I edit my /etc/resolv.conf root@freebsd:~ # cat /etc/resolv.conf search home nameserver 8.8.8.8 options edns and run root@freebsd:~ # /etc/rc.d/local_unbound setup Performing initial setup. Extracting forwarders from /etc/resolv.conf. original /var/unbound/forward.conf saved as /var/unbound/forward.conf.20150725.174438 /var/unbound/lan-zones.conf not modified /var/unbound/unbound.conf not modified /etc/resolvconf.conf not modified original /etc/resolv.conf saved as /etc/resolv.conf.20150725.174438 and then unbound config looks like root@freebsd:~ # cat /etc/unbound/forward.conf # Generated by local-unbound-setup # Do not edit this file. forward-zone: name: . forward-addr: 8.8.8.8 After an restart of unbound root@freebsd:~ # /etc/rc.d/local_unbound restart unbound resolves hosts: root@freebsd:~ # host google.com google.com has address 216.58.213.46 google.com has IPv6 address 2a00:1450:4008:800::1007 google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. When you are using DHCP, it will overwrite /etc/resolv.conf and unbound will be back to use the DHCP provided DNS Server. In short: Correctly configured Unbound works for me. Default configuration does not work. DNSSEC by design does not work with forward nameserver, which does not answer for public DNSSEC keys. This should be mentioned somewhere explicitly, because in my opinion the most SOHO devices do not run a DNSSEC aware DNS Server. -- You are receiving this mail because: You are the assignee for the bug.