Maintained by: NLnet Labs

[Unbound-users] Strange SERVFAIL from unbound

W.C.A. Wijngaards
Fri Nov 14 13:53:27 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Aaron,

Looked at zen.spamhaus.org; but I could not see how harden-glue would
make an impact. Or how A records could time out while the AAAA do not.
They have the same timeout value (4 hours). I think it is possible to
change the code to deal with this situation, but I would like to know
how it happened.

The 30 minutes sounds close to the 15 minute (900 second) default
timeout on lameness detections.  Various kinds of badness are detected
and stored in the infrastructure cache.  Again, with 22 servers, it
seems unlikely all their A records are lame.

Do you have more log information (you can send this off list) you can
share with me?  Lots of data before this point, that deals with
*.spamhaus.org.  If you gzip it, 100M of log is only 1 meg email.

If it happens again can you query with dig +norec a.ns.spamhaus.org ?
And dig +norec +cdflag +dnssec a.ns.spamhaus.org ?

Best regards,
   Wouter

Aaron Hopkins wrote:
> Unbound-users,
> 
> While experimenting with replacing dnscache with unbound, approximately
> daily I've run into a strange situation where unbound 1.0.2 only answers
> requests for zen.spamhaus.org RBL lookups with SERVFAIL for roughly half an
> hour, then goes back to working normally.
> 
> I upped the verbosity and caught this in action.  Hopefully this is the
> right log section, as this is a fairly active mail server.
> 
> I noticed that unbound only logs ipv6 addresses here, yet this machine
> isn't
> IPv6-capable.  Are all IPv4 address expiring and it is refusing to fetch
> new
> one for some reason?  Is this some interesting interaction with "do-ip6:
> no"
> and "harden-glue: yes", maybe?
> 
> Syslog output (all in the same second, so I stripped the time, etc):
> 
>     info: validator operate: query <2.0.0.127.zen.spamhaus.org. TXT IN>
>     info: resolving <2.0.0.127.zen.spamhaus.org. TXT IN>
>     info: DelegationPoint<zen.spamhaus.org.>: 22 names (0 missing), 22
> addrs (0 result, 22 avail)
>     info:   8.ns.spamhaus.org.*
>     info:   3.ns.spamhaus.org.*
>     info:   1.ns.spamhaus.org.*
> 
> Is there something I'm obviously doing wrong here?  If not, is there any
> more information I can provide?
> 
> Thanks!
>                                     -- Aaron
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkddMcACgkQkDLqNwOhpPhxjQCeLRojbO4Tm660kG1AZT4Jw+AZ
eqgAn1tRijHd7fxCpnLJke8CnpnYvOdn
=Whjp
-----END PGP SIGNATURE-----