| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 15 Jul 2025 08:05:46 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=234.631815,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=685.704604,issue_conversation_sidebar-fragment;desc="issue_conversation_sidebar fragment";dur=107.288946,nginx;desc="NGINX";dur=1.33798,glb;desc="GLB";dur=100.858903
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: 6a3bf42
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=l36dXFMMdkehn2xtkczy5%2BXHVeyQsQSewvESVdfC6epDzQKRbWqB9puazjjjEp2zkKeLm9rBgG8foPwEAgNI8ql%2BM4EjtisGqzKkL5IarG7Nm6XN%2BXET%2BW%2FpVSG4PoQ18Yg7SDfpdtDZzwnSDshP4wrWA6lkXra%2Fo7ZVqXmOArp1%2FX225bZ7GF7oppWfYmp5lYiAHEGTYhjJk%2F%2BUsozXNGMHxNHQwUOoaL3t1l2GypAlyat0Q7bdJTyZA94e9OyhKIQPeyOXerslEkYHZXkw3w%3D%3D--viXkKZPwb6bKEff7--FFvpRQb3WVB4DCbFBiYEBg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1636714726.1752566745; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 08:05:45 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 08:05:45 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: B93E:37FF58:4164AD:4A3AD8:68760BD9
Unbound fails to resolve certain domains when going from 1.11 to 1.12 · Issue #360 · NLnetLabs/unbound · GitHub
No one assignedNo labelsNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Closed
Description
I'm experiencing failure to resolve certain domains after upgrading from unbound 1.11 to 1.12. I have confirmed that switching between these versions has direct impact on the issue. Also disabling DNSSEC validation, by commenting out the trust-anchor-file will resolve the problem (at the cost of disabling DNSSEC of course) which makes be believe that this is an DNSSEC issue.
I'm running unbound 1.12 on Arch Linux using the exact config below for both tests on 1.11 and 1.12. The build script used by Arch Linux is available here: https://github.com/archlinux/svntogit-community/blob/packages/unbound/trunk/PKGBUILD
server:
do-daemonize: no
# logging
verbosity: 9
use-syslog: yes
log-queries: no
# logs why dnssec validation failed
val-log-level: 2
# process chroots itself in /etc/unbound
#logfile: dnslog.txt
# root dns config
root-hints: "/etc/unbound/named.cache"
# this file will be copied from /etc/trusted-key by the unbound.server
trust-anchor-file: /etc/unbound/trusted-key.key
#auto-trust-anchor-file: /etc/unbound/trusted-key.key
# bind to localhost for dnsmasq to redirect
do-tcp: no
do-ip6: no
access-control: 127.0.0.1/8 allow
interface: 127.0.0.1
port: 10053
# caching
msg-cache-size: 4m
msg-cache-slabs: 4
# security
hide-identity: no
hide-version: no
use-caps-for-id: no
unwanted-reply-threshold: 10000000
# misc
do-not-query-localhost: yes
prefetch: yes
# disables mozilla (and google?) dns over https
local-zone: "use-application-dns.net" static
Multiple domains are affected by this issue:
- fedoraproject.org
- unitymedia.de
- a few other that I have no record of (took me a while to realize it's an dns issue)
Below is the log output of unbound 1.12 while trying to resolve the A record of fedoraproject.org
info: sending query: fedoraproject.org. DNSKEY IN
debug: sending to target: <fedoraproject.org.> 38.145.60.14#53
debug: dnssec status: expected
debug: EDNS lookup known=1 vs=0
debug: serviced query UDP timeout=477 msec
debug: inserted new pending reply id=3ab3
debug: opened UDP if=0 port=21121
debug: comm point start listening 10 (-1 msec)
debug: mesh_run: iterator module exit state is module_wait_reply
info: mesh_run: end 10 recursion states (9 with reply, 0 detached), 9 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
info: 0vRDCD mod2 fedoraproject.org. DNSKEY IN
info: 1RDdc mod1 rep fedoraproject.org. A IN
info: 2RDdc mod1 rep fedoraproject.org. A IN
info: 3RDdc mod1 rep fedoraproject.org. A IN
info: 4RDdc mod1 rep fedoraproject.org. A IN
info: 5RDdc mod1 rep fedoraproject.org. A IN
info: 6RDdc mod1 rep fedoraproject.org. A IN
info: 7RDdc mod1 rep fedoraproject.org. A IN
info: 8RDdc mod1 rep fedoraproject.org. A IN
info: 9RDdc mod1 rep fedoraproject.org. A IN
debug: cache memory msg=67956 rrset=84388 infra=10260 val=68606 subnet=74504
debug: svcd callbacks end
debug: answer cb
debug: Incoming reply id = 3ab3
debug: Incoming reply addr = ip4 38.145.60.14 port 53 (len 16)
debug: lookup size is 1 entries
debug: received udp reply.
debug: udp message[46:0] 3AB3861000010000000000010D6665646F726170726F6A656374036F726700003000010000291000000080000000
debug: outnet handle udp reply
debug: measured roundtrip at 134 msec
debug: initiate TCP query EDNS
debug: close of port 21121
debug: close fd 10
debug: tcp error for address ip4 38.145.60.14 port 53 (len 16)
debug: svcd callbacks start
debug: worker svcd callback for qstate 0x55c28f1745a0
debug: mesh_run: start
debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
info: iterator operate: query fedoraproject.org. DNSKEY IN
debug: process_response: new external response event
debug: iter_handle processing q with state QUERY RESPONSE STATE
debug: query response was timeout
debug: iter_handle processing q with state QUERY TARGETS STATE
info: processQueryTargets: fedoraproject.org. DNSKEY IN
debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 7
info: DelegationPoint<fedoraproject.org.>: 4 names (0 missing), 6 addrs (6 result, 0 avail) cacheNS
info: ns05.fedoraproject.org. * A AAAA
info: ns-iad01.fedoraproject.org. * A
info: ns02.fedoraproject.org. * A AAAA
info: ns-iad02.fedoraproject.org. * A
debug: ip4 38.145.60.14 port 53 (len 16)
debug: ip6 2610:28:3090:3001:dead:beef:cafe:fed5 port 53 (len 28)
debug: ip4 152.19.134.139 port 53 (len 16)
debug: ip4 38.145.60.13 port 53 (len 16)
debug: ip6 2001:4178:2:1269:dead:beef:cafe:fed5 port 53 (len 28)
debug: ip4 85.236.55.10 port 53 (len 16)
debug: servselect ip4 38.145.60.14 port 53 (len 16)
debug: rtt=481
debug: servselect ip4 152.19.134.139 port 53 (len 16)
debug: rtt=436
debug: servselect ip4 38.145.60.13 port 53 (len 16)
debug: rtt=459
debug: servselect ip4 85.236.55.10 port 53 (len 16)
debug: rtt=306
debug: selrtt 306
info: sending query: fedoraproject.org. DNSKEY IN
debug: sending to target: <fedoraproject.org.> 85.236.55.10#53
debug: dnssec status: expected
debug: EDNS lookup known=1 vs=0
debug: serviced query UDP timeout=306 msec
debug: inserted new pending reply id=f118
debug: opened UDP if=0 port=35132
debug: comm point start listening 10 (-1 msec)
debug: mesh_run: iterator module exit state is module_wait_reply
info: mesh_run: end 10 recursion states (9 with reply, 0 detached), 9 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
info: 0vRDCD mod2 fedoraproject.org. DNSKEY IN
info: 1RDdc mod1 rep fedoraproject.org. A IN
info: 2RDdc mod1 rep fedoraproject.org. A IN
info: 3RDdc mod1 rep fedoraproject.org. A IN
info: 4RDdc mod1 rep fedoraproject.org. A IN
info: 5RDdc mod1 rep fedoraproject.org. A IN
info: 6RDdc mod1 rep fedoraproject.org. A IN
info: 7RDdc mod1 rep fedoraproject.org. A IN
info: 8RDdc mod1 rep fedoraproject.org. A IN
info: 9RDdc mod1 rep fedoraproject.org. A IN
debug: cache memory msg=67956 rrset=84388 infra=10260 val=68606 subnet=74504
debug: svcd callbacks end
debug: answer cb
debug: Incoming reply id = f118
debug: Incoming reply addr = ip4 85.236.55.10 port 53 (len 16)
debug: lookup size is 1 entries
debug: received udp reply.
debug: udp message[46:0] F118861000010000000000010D6665646F726170726F6A656374036F726700003000010000291000000080000000
debug: outnet handle udp reply
debug: measured roundtrip at 22 msec
debug: initiate TCP query EDNS
debug: close of port 35132
debug: close fd 10
debug: tcp error for address ip4 85.236.55.10 port 53 (len 16)
debug: svcd callbacks start
debug: worker svcd callback for qstate 0x55c28f1745a0
debug: mesh_run: start
debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
info: iterator operate: query fedoraproject.org. DNSKEY IN
debug: process_response: new external response event
debug: iter_handle processing q with state QUERY RESPONSE STATE
debug: query response was timeout
debug: iter_handle processing q with state QUERY TARGETS STATE
info: processQueryTargets: fedoraproject.org. DNSKEY IN
debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 8
info: DelegationPoint<fedoraproject.org.>: 4 names (0 missing), 6 addrs (6 result, 0 avail) cacheNS
info: ns05.fedoraproject.org. * A AAAA
info: ns-iad01.fedoraproject.org. * A
info: ns02.fedoraproject.org. * A AAAA
info: ns-iad02.fedoraproject.org. * A
debug: ip4 38.145.60.14 port 53 (len 16)
debug: ip6 2610:28:3090:3001:dead:beef:cafe:fed5 port 53 (len 28)
debug: ip4 152.19.134.139 port 53 (len 16)
debug: ip4 38.145.60.13 port 53 (len 16)
debug: ip6 2001:4178:2:1269:dead:beef:cafe:fed5 port 53 (len 28)
debug: ip4 85.236.55.10 port 53 (len 16)
debug: servselect ip4 85.236.55.10 port 53 (len 16)
debug: rtt=252
debug: servselect ip4 38.145.60.13 port 53 (len 16)
debug: rtt=459
debug: servselect ip4 152.19.134.139 port 53 (len 16)
debug: rtt=436
debug: servselect ip4 38.145.60.14 port 53 (len 16)
debug: rtt=481
debug: selrtt 252
info: sending query: fedoraproject.org. DNSKEY IN
debug: sending to target: <fedoraproject.org.> 85.236.55.10#53
debug: dnssec status: expected
debug: EDNS lookup known=1 vs=0
debug: serviced query UDP timeout=252 msec
debug: inserted new pending reply id=cc8f
debug: opened UDP if=0 port=14758
debug: comm point start listening 10 (-1 msec)
debug: mesh_run: iterator module exit state is module_wait_reply
info: mesh_run: end 10 recursion states (9 with reply, 0 detached), 9 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
info: 0vRDCD mod2 fedoraproject.org. DNSKEY IN
info: 1RDdc mod1 rep fedoraproject.org. A IN
info: 2RDdc mod1 rep fedoraproject.org. A IN
info: 3RDdc mod1 rep fedoraproject.org. A IN
info: 4RDdc mod1 rep fedoraproject.org. A IN
info: 5RDdc mod1 rep fedoraproject.org. A IN
info: 6RDdc mod1 rep fedoraproject.org. A IN
info: 7RDdc mod1 rep fedoraproject.org. A IN
info: 8RDdc mod1 rep fedoraproject.org. A IN
info: 9RDdc mod1 rep fedoraproject.org. A IN
debug: cache memory msg=67956 rrset=84388 infra=10260 val=68606 subnet=74504
debug: svcd callbacks end
debug: answer cb
debug: Incoming reply id = cc8f
debug: Incoming reply addr = ip4 85.236.55.10 port 53 (len 16)
debug: lookup size is 1 entries
debug: received udp reply.
debug: udp message[46:0] CC8F861000010000000000010D6665646F726170726F6A656374036F726700003000010000291000000080000000
debug: outnet handle udp reply
debug: measured roundtrip at 22 msec
debug: initiate TCP query EDNS
debug: close of port 14758
debug: close fd 10
(The log output seems to repeat a few times in an attempt by unbound to reattempt validation before failing)
Ignore the fact that unbound is running behind an dnsmasq. All testing was done directly on unbound with dnsmasq stopped. I've cross-checked my configuration with multiple sources and have no idea what I am doing wrong, which makes me believe that maybe there is an issue with unbound. Even though I couldn't find any related issue.
Please tell me if I need to provide additional information.
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.