Unbound refuse to clear cache!

Kirill

Hi all!

Have ended up with a bad cache on my fw, and have read on the Internet that a restart of unbound under Status -> Services that I can just press the restart button and that will clear the cache.
Now when I have done it twice, it is still not cleared because it gives me wrong and old information about one of my domains!

So now what? Any clues?

Kirill

Tried a little more:

unbound-control -c /var/unbound/ flush codejar
/var/unbound/:1: error: unknown keyword '??A
                                            '
/var/unbound/:1: error: unknown keyword ''
read /var/unbound/ failed: 2 errors in configuration file
[1455176854] unbound-control[38740:0] fatal error: could not read config file

unbound-control -c /var/unbound/ flush "codejar"
/var/unbound/:1: error: unknown keyword '??A
                                            '
/var/unbound/:1: error: unknown keyword ''
read /var/unbound/ failed: 2 errors in configuration file
[1455176877] unbound-control[39010:0] fatal error: could not read config file

Kirill

unbound-control -c /var/unbound/ lookup "mydomain.se"
/var/unbound/:1: error: unknown keyword '??A
                                            '
/var/unbound/:1: error: unknown keyword ''
read /var/unbound/ failed: 2 errors in configuration file
[1455177115] unbound-control[8396:0] fatal error: could not read config file

:o

cmb

The commands you're running manually aren't correct, no need for that anyway.

Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.

Kirill

@cmb:

The commands you're running manually aren't correct, no need for that anyway.

Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.

Where do you check that from your place, because all places I´ve checked outside my network it has correct NS records poiting to nsX.digitalocean.com

And the commands I´m running is the ones I´ve found here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver and here on the forum https://forum.pfsense.org/index.php?topic=87666.0

cmb

Getting mixed results.

From Level 3's 4.2.2.2 and OpenDNS, it's OK.

$ dig ns codejar.se @4.2.2.2

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @4.2.2.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11379
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;codejar.se.			IN	NS

;; ANSWER SECTION:
codejar.se.		1800	IN	NS	ns1.digitalocean.com.
codejar.se.		1800	IN	NS	ns2.digitalocean.com.
codejar.se.		1800	IN	NS	ns3.digitalocean.com.

From Google public DNS, my home recursive resolver, and our recursive resolvers in the office, it ends up with SERVFAIL.

$ dig ns codejar.se @8.8.8.8 

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17653
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;codejar.se.			IN	NS

So there is definitely something wrong there that's breaking name resolution for a big portion of the Internet.

cmb

Oh, it's DNSSEC-enabled resolvers that fail. That's why Unbound is failing, it's not a cache problem, it's that your domain's DNSSEC is legitimately broken.
http://dnscheck.pingdom.com/?domain=codejar.se

johnpoz

Yup show it broken

Found 2 DS records for codejar.se in the se zone
Found 1 RRSIGs over DS RRset
RRSIG=53395 and DNSKEY=53395 verifies the DS RRset
No DNSKEY records found
codejar.se A RR has value 178.62.1.96
No RRSIGs found

Either fix dnssec or remove it if you want the whole world to resolve..

Kirill

That´s why I can reach it from some parts, and some parts not on the net…
Time to start digging more around this now!

Cheers for the feedback all! :)