Jump to content
Калькуляторы

unbound после ребута SERVFAIL 1.4.22

Сабж, ОС Debian 8.6 jessie.

 

После ребута смотрим статус:

 

systemctl status unbound
● unbound.service - (null)
  Loaded: loaded (/etc/init.d/unbound)
 Drop-In: /run/systemd/generator/unbound.service.d
          └─50-insserv.conf-$named.conf, 50-unbound-$named.conf
  Active: active (running) since Sun 2017-12-17 15:50:22 MSK; 8 months 20 days left
 Process: 627 ExecStart=/etc/init.d/unbound start (code=exited, status=0/SUCCESS)
Main PID: 751 (unbound)
  CGroup: /system.slice/unbound.service
          └─751 /usr/sbin/unbound

Dec 17 15:50:22 unbound0 unbound-anchor[670]: last successful probe: Tue Mar 28 06:45:56 2017
Dec 17 15:50:22 unbound0 unbound-anchor[670]: the last successful probe was more than 30 days ago
Dec 17 15:50:22 unbound0 unbound-anchor[670]: /etc/unbound/icannbundle.pem: No such file or directory
Dec 17 15:50:22 unbound0 unbound-anchor[670]: using builtin certificate
Dec 17 15:50:22 unbound0 unbound-anchor[670]: have 1 trusted certificates
Dec 17 15:50:22 unbound0 unbound-anchor[670]: resolved server address 72.21.81.189
Dec 17 15:50:22 unbound0 unbound-anchor[670]: resolved server address 2606:2800:11f:bb5:f27:227f:1bbf:a0e
Dec 17 15:50:22 unbound0 unbound-anchor[670]: connect to 2606:2800:11f:bb5:f27:227f:1bbf:a0e
Dec 17 15:50:22 unbound0 unbound[627]: Starting recursive DNS server: unbound.
Dec 17 15:50:22 unbound0 systemd[1]: Started (null).
root@unbound0:/home$ nslookup ya.ru
;; Got SERVFAIL reply from 10.10.10.5, trying next server
Server:         10.10.15.5
Address:        10.10.15.5#53

Non-authoritative answer:
Name:   ya.ru
Address: 93.158.134.3
Name:   ya.ru
Address: 213.180.193.3
Name:   ya.ru
Address: 213.180.204.3

systemctl restart unbound
root@ns0:/home$ nslookup ya.ru
Server:         10.10.10.5
Address:        10.10.10.5#53

Non-authoritative answer:
Name:   ya.ru
Address: 213.180.204.3
Name:   ya.ru
Address: 93.158.134.3
Name:   ya.ru
Address: 213.180.193.3

 

unbound-control status
version: 1.4.22
verbosity: 1
threads: 8
modules: 2 [ validator iterator ]
uptime: 562 seconds
unbound (pid 1162) is running...

 

В конфиге ничего сверх необычного нет, подозреваю это из за модуля validator?

Edited by hsvt

Share this post


Link to post
Share on other sites

SERFAIL выдается когда сбоит DNS SEC валидация. А у вас старые анкоры похоже: "/etc/unbound/icannbundle.pem: No such file or directory". Вытяните их либо отключить DNS SEC (ПЛОХАЯ ИДЕЯ!)

Share this post


Link to post
Share on other sites

SERFAIL выдается когда сбоит DNS SEC валидация. А у вас старые анкоры похоже: "/etc/unbound/icannbundle.pem: No such file or directory". Вытяните их либо отключить DNS SEC (ПЛОХАЯ ИДЕЯ!)

 

Спасибо Павел, изменил настройки и забрал файлик, анкор был в /var/lib/unbound/root.key, а вот сертификата не было. Проверю теперь в следующий ребут)

Share this post


Link to post
Share on other sites
отключить DNS SEC (ПЛОХАЯ ИДЕЯ!)

Как по мне так включать его плохая идея.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this