Maintained by: NLnet Labs

[Unbound-users] Strange SERVFAIL from unbound

Aaron Hopkins
Fri Nov 14 11:21:30 CET 2008


Unbound-users,

While experimenting with replacing dnscache with unbound, approximately
daily I've run into a strange situation where unbound 1.0.2 only answers
requests for zen.spamhaus.org RBL lookups with SERVFAIL for roughly half an
hour, then goes back to working normally.

I upped the verbosity and caught this in action.  Hopefully this is the
right log section, as this is a fairly active mail server.

I noticed that unbound only logs ipv6 addresses here, yet this machine isn't
IPv6-capable.  Are all IPv4 address expiring and it is refusing to fetch new
one for some reason?  Is this some interesting interaction with "do-ip6: no"
and "harden-glue: yes", maybe?

Syslog output (all in the same second, so I stripped the time, etc):

     info: validator operate: query <2.0.0.127.zen.spamhaus.org. TXT IN>
     info: resolving <2.0.0.127.zen.spamhaus.org. TXT IN>
     info: DelegationPoint<zen.spamhaus.org.>: 22 names (0 missing), 22 addrs (0 result, 22 avail)
     info:   8.ns.spamhaus.org.*
     info:   3.ns.spamhaus.org.*
     info:   1.ns.spamhaus.org.*
     info:   0.ns.spamhaus.org.*
     info:   y.ns.spamhaus.org.*
     info:   x.ns.spamhaus.org.*
     info:   t.ns.spamhaus.org.*
     info:   s.ns.spamhaus.org.*
     info:   r.ns.spamhaus.org.*
     info:   q.ns.spamhaus.org.*
     info:   o.ns.spamhaus.org.*
     info:   m.ns.spamhaus.org.*
     info:   l.ns.spamhaus.org.*
     info:   k.ns.spamhaus.org.*
     info:   i.ns.spamhaus.org.*
     info:   h.ns.spamhaus.org.*
     info:   g.ns.spamhaus.org.*
     info:   f.ns.spamhaus.org.*
     info:   d.ns.spamhaus.org.*
     info:   c.ns.spamhaus.org.*
     info:   b.ns.spamhaus.org.*
     info:   a.ns.spamhaus.org.*
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info: resolving (init part 2):  <2.0.0.127.zen.spamhaus.org. TXT IN>
     info: resolving (init part 3):  <2.0.0.127.zen.spamhaus.org. TXT IN>
     info: processQueryTargets: <2.0.0.127.zen.spamhaus.org. TXT IN>
     info: DelegationPoint<zen.spamhaus.org.>: 22 names (0 missing), 22 addrs (0 result, 22 avail)
     info:   8.ns.spamhaus.org.*
     info:   3.ns.spamhaus.org.*
     info:   1.ns.spamhaus.org.*
     info:   0.ns.spamhaus.org.*
     info:   y.ns.spamhaus.org.*
     info:   x.ns.spamhaus.org.*
     info:   t.ns.spamhaus.org.*
     info:   s.ns.spamhaus.org.*
     info:   r.ns.spamhaus.org.*
     info:   q.ns.spamhaus.org.*
     info:   o.ns.spamhaus.org.*
     info:   m.ns.spamhaus.org.*
     info:   l.ns.spamhaus.org.*
     info:   k.ns.spamhaus.org.*
     info:   i.ns.spamhaus.org.*
     info:   h.ns.spamhaus.org.*
     info:   g.ns.spamhaus.org.*
     info:   f.ns.spamhaus.org.*
     info:   d.ns.spamhaus.org.*
     info:   c.ns.spamhaus.org.*
     info:   b.ns.spamhaus.org.*
     info:   a.ns.spamhaus.org.*
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
     info:    ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)

Here's the dig that produced that query:

     ; <<>> DiG 9.2.4 <<>> 2.0.0.127.zen.spamhaus.org txt
     ;; global options:  printcmd
     ;; Got answer:
     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16072
     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

     ;; QUESTION SECTION:
     ;2.0.0.127.zen.spamhaus.org.    IN      TXT

"dig zen.spamhaus.org ns" also produces SERVFAIL.

And here's the non-comment portion of my config (with some IPs replaced):

   server:
           verbosity: 2
           statistics-interval: 3600
           num-threads: 2
           interface: 1.2.3.4
           interface: 127.0.0.1
           outgoing-range: 256
           do-ip4: yes
           do-ip6: no
           do-udp: yes
           do-tcp: yes
           access-control: 127.0.0.0/8 allow
           access-control: 1.2.3.0/26 allow
           access-control: 192.168.84.0/24 allow
           chroot: "/var/unbound"
           username: "unbound"
           directory: "/var/unbound"
           pidfile: "/var/unbound/unbound.pid"
           hide-version: yes
           target-fetch-policy: "3 2 1 0 0"
           harden-glue: yes
           do-not-query-address: 127.0.0.0/8
           do-not-query-address: 10.0.0.0/8
           do-not-query-address: 172.16.0.0/12
           do-not-query-address: 192.168.0.0/16

Is there something I'm obviously doing wrong here?  If not, is there any
more information I can provide?

Thanks!
                                     -- Aaron