Problems with unbound

Matthew Seaman m.seaman at
Tue Mar 15 15:19:09 UTC 2016

On 03/15/16 11:28, Andrea Brancatelli wrote:
> Hello everybody, 
> we're suddenly having problems with unbound on almost all of our servers
> and I cannot really understand why. 
> To make a long story short, we use this forward.conf: 
> root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf
> # This file was generated by local-unbound-setup.
> # Modifications will be overwritten.
> forward-zone:
> name: .
> forward-addr:
> forward-addr: 
> Enabling this: 
>  auto-trust-anchor-file: /var/unbound/root.key 
> in /etc/unbound/unbound.conf gives me this: 
> root at dbengine-ent-rm-01:/var/unbound # host
> ;; connection timed out; no servers could be reached 
> simply disabling that line gives me this: 
> root at dbengine-ent-rm-01:/var/unbound # host
> is an alias for
> has address
> has IPv6 address 2001:4978:1:420::cc09:3750
> mail is handled by 0 . 
> What's going on? 
> root at dbengine-ent-rm-01:/var/unbound # freebsd-version
> 10.2-RELEASE-p13 

Do you have a firewall between those machines and the Internet?   Does
it assume that DNS queries never use anything more than 512byte UDP
packets?  Does it try and rewrite data in DNS queries?  Doing either of
those things will cause breakage when using a DNSSEC enabled DNS
resolver -- and DNSSEC support is pretty much the whole point of

If you go here: it
should show you if you have any problems with reply lengths.  Firewalls
that try and modify DNS queries on the fly just need to be eradicated.
It's a dumb idea and indistinguishable from certain types of malicious



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-stable mailing list