Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unbound refuse to clear cache!

    DHCP and DNS
    3
    9
    12675
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kirill last edited by

      Hi all!

      Have ended up with a bad cache on my fw, and have read on the Internet that a restart of unbound under Status -> Services that I can just press the restart button and that will clear the cache.
      Now when I have done it twice, it is still not cleared because it gives me wrong and old information about one of my domains!

      So now what? Any clues?

      1 Reply Last reply Reply Quote 0
      • K
        Kirill last edited by

        Tried a little more:

        unbound-control -c /var/unbound/ flush codejar
        /var/unbound/:1: error: unknown keyword '??A
                                                    '
        /var/unbound/:1: error: unknown keyword ''
        read /var/unbound/ failed: 2 errors in configuration file
        [1455176854] unbound-control[38740:0] fatal error: could not read config file
        
        
        unbound-control -c /var/unbound/ flush "codejar"
        /var/unbound/:1: error: unknown keyword '??A
                                                    '
        /var/unbound/:1: error: unknown keyword ''
        read /var/unbound/ failed: 2 errors in configuration file
        [1455176877] unbound-control[39010:0] fatal error: could not read config file
        
        
        1 Reply Last reply Reply Quote 0
        • K
          Kirill last edited by

          unbound-control -c /var/unbound/ lookup "mydomain.se"
          /var/unbound/:1: error: unknown keyword '??A
                                                      '
          /var/unbound/:1: error: unknown keyword ''
          read /var/unbound/ failed: 2 errors in configuration file
          [1455177115] unbound-control[8396:0] fatal error: could not read config file
          
          

          :o

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            The commands you're running manually aren't correct, no need for that anyway.

            Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

            If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.

            1 Reply Last reply Reply Quote 0
            • K
              Kirill last edited by

              @cmb:

              The commands you're running manually aren't correct, no need for that anyway.

              Restarting unbound most certainly clears the cache, in fact people complain it happens too often and too easily. If you're in forwarding mode, you're subject to the cache of your forwarding servers and have to wait for that TTL to expire. Guessing that's your issue, or else it's coming from a host override, or else your domain's NSes haven't actually updated it yet.

              If codejar.se is the domain in question, that domain's DNS is broken. It has no NS records.

              Where do you check that from your place, because all places I´ve checked outside my network it has correct NS records poiting to nsX.digitalocean.com

              And the commands I´m running is the ones I´ve found here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver and here on the forum https://forum.pfsense.org/index.php?topic=87666.0

              1 Reply Last reply Reply Quote 0
              • C
                cmb last edited by

                Getting mixed results.

                From Level 3's 4.2.2.2 and OpenDNS, it's OK.

                $ dig ns codejar.se @4.2.2.2
                
                ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @4.2.2.2
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11379
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 8192
                ;; QUESTION SECTION:
                ;codejar.se.			IN	NS
                
                ;; ANSWER SECTION:
                codejar.se.		1800	IN	NS	ns1.digitalocean.com.
                codejar.se.		1800	IN	NS	ns2.digitalocean.com.
                codejar.se.		1800	IN	NS	ns3.digitalocean.com.
                
                

                From Google public DNS, my home recursive resolver, and our recursive resolvers in the office, it ends up with SERVFAIL.

                $ dig ns codejar.se @8.8.8.8 
                
                ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> ns codejar.se @8.8.8.8
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17653
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 512
                ;; QUESTION SECTION:
                ;codejar.se.			IN	NS
                
                

                So there is definitely something wrong there that's breaking name resolution for a big portion of the Internet.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  Oh, it's DNSSEC-enabled resolvers that fail. That's why Unbound is failing, it's not a cache problem, it's that your domain's DNSSEC is legitimately broken.
                  http://dnscheck.pingdom.com/?domain=codejar.se

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    Yup show it broken

                    Found 2 DS records for codejar.se in the se zone
                    Found 1 RRSIGs over DS RRset
                    RRSIG=53395 and DNSKEY=53395 verifies the DS RRset
                    No DNSKEY records found
                    codejar.se A RR has value 178.62.1.96
                    No RRSIGs found

                    Either fix dnssec or remove it if you want the whole world to resolve..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                    1 Reply Last reply Reply Quote 0
                    • K
                      Kirill last edited by

                      That´s why I can reach it from some parts, and some parts not on the net…
                      Time to start digging more around this now!

                      Cheers for the feedback all! :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post