Unbound refuse to clear cache!



  • Hi all!

    Have ended up with a bad cache on my fw, and have read on the Internet that a restart of unbound under Status -> Services that I can just press the restart button and that will clear the cache.
    Now when I have done it twice, it is still not cleared because it gives me wrong and old information about one of my domains!

    So now what? Any clues?



  • Tried a little more:

    unbound-control -c /var/unbound/ flush codejar
    /var/unbound/:1: error: unknown keyword '??A
                                                '
    /var/unbound/:1: error: unknown keyword ''
    read /var/unbound/ failed: 2 errors in configuration file
    [1455176854] unbound-control[38740:0] fatal error: could not read config file
    
    
    unbound-control -c /var/unbound/ flush "codejar"
    /var/unbound/:1: error: unknown keyword '??A
                                                '
    /var/unbound/:1: error: unknown keyword ''
    read /var/unbound/ failed: 2 errors in configuration file
    [1455176877] unbound-control[39010:0] fatal error: could not read config file
    
    


  • unbound-control -c /var/unbound/ lookup "mydomain.se"
    /var/unbound/:1: error: unknown keyword '??A
                                                '
    /var/unbound/:1: error: unknown keyword ''
    read /var/unbound/ failed: 2 errors in configuration file
    [1455177115] unbound-control[8396:0] fatal error: could not read config file
    
    

    :o



  • The commands you're running manually aren't correct, no need for that anyway.

    Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

    If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.



  • @cmb:

    The commands you're running manually aren't correct, no need for that anyway.

    Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

    If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.

    Where do you check that from your place, because all places I´ve checked outside my network it has correct NS records poiting to nsX.digitalocean.com

    And the commands I´m running is the ones I´ve found here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver and here on the forum https://forum.pfsense.org/index.php?topic=87666.0



  • Getting mixed results.

    From Level 3's 4.2.2.2 and OpenDNS, it's OK.

    $ dig ns codejar.se @4.2.2.2
    
    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @4.2.2.2
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11379
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 8192
    ;; QUESTION SECTION:
    ;codejar.se.			IN	NS
    
    ;; ANSWER SECTION:
    codejar.se.		1800	IN	NS	ns1.digitalocean.com.
    codejar.se.		1800	IN	NS	ns2.digitalocean.com.
    codejar.se.		1800	IN	NS	ns3.digitalocean.com.
    
    

    From Google public DNS, my home recursive resolver, and our recursive resolvers in the office, it ends up with SERVFAIL.

    $ dig ns codejar.se @8.8.8.8 
    
    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17653
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;codejar.se.			IN	NS
    
    

    So there is definitely something wrong there that's breaking name resolution for a big portion of the Internet.



  • Oh, it's DNSSEC-enabled resolvers that fail. That's why Unbound is failing, it's not a cache problem, it's that your domain's DNSSEC is legitimately broken.
    http://dnscheck.pingdom.com/?domain=codejar.se


  • LAYER 8 Global Moderator

    Yup show it broken

    Found 2 DS records for codejar.se in the se zone
    Found 1 RRSIGs over DS RRset
    RRSIG=53395 and DNSKEY=53395 verifies the DS RRset
    No DNSKEY records found
    codejar.se A RR has value 178.62.1.96
    No RRSIGs found

    Either fix dnssec or remove it if you want the whole world to resolve..



  • That´s why I can reach it from some parts, and some parts not on the net…
    Time to start digging more around this now!

    Cheers for the feedback all! :)


Log in to reply