Maintained by: NLnet Labs

[Unbound-users] SERVFAIL from Unbound whentrying to resolve a hostname

Marc Groeneweg
Wed Dec 17 16:44:59 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have discovered something weird regarding a VISA card site in the Netherlands. On the query unbound-host -v www.icscards.nl unbound answers with:

Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
Host www.icscards.nl not found: 2(SERVFAIL). (insecure)
Host www.icscards.nl not found: 2(SERVFAIL). (insecure)

What I've seen so far is this:
Nameservers for icscards.nl are ns.nl.net and auth60.ns.nl.uu.net. They give authorative answer for this. When I question www.icscards.nl on them I get:

dig @ns.nl.net www.icscards.nl

; <<>> DiG 9.3.5-P1 <<>> @ns.nl.net www.icscards.nl
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27351
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.icscards.nl.               IN      A

;; AUTHORITY SECTION:
www.icscards.nl.        86400   IN      NS      nua0px13.fortisbank.nl.
www.icscards.nl.        86400   IN      NS      nwp0px13.fortisbank.nl.

And see, no aa bit set! It seems that www.icscards.nl is a subdomain, which are going to be resolved by two fortisbank nameservers.

And querying one of those:
dig @nua0px13.fortisbank.nl www.icscards.nl a

; <<>> DiG 9.3.5-P1 <<>> @nua0px13.fortisbank.nl www.icscards.nl a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21375
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.icscards.nl.               IN      A

;; ANSWER SECTION:
www.icscards.nl.        60      IN      A       164.140.155.125

Also non-authorative answers. BIND does give an answer however, Unbound not.

Can someone explains me what's happening here? And why the differende between BIND resolving and Unbound?

Regards,

Marc Groeneweg
-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)

wj8DBQFJSR57bp5Jj0JFvnwRAiFfAKD9v39W0PrE2wF1rDHbCUz0V+kkvwCdF0sY
3yF1rIGheiw8bp81eYdYTSg=
=a/Wf
-----END PGP SIGNATURE-----