Maintained by: NLnet Labs

[Unbound-users] Strange SERVFAIL from unbound

Aaron Hopkins
Tue Nov 18 11:45:57 CET 2008

On Fri, 14 Nov 2008, W.C.A. Wijngaards wrote:

> Or how A records could time out while the AAAA do not.
> They have the same timeout value (4 hours).

So unbound just cares that it has a valid address for a given nameserver,
not that any of them are A, even if it wants to use IPv4?  If so, this seems

The A and AAAA aren't looked up atomically, right?  You might get one or the
other in additionals if there's room left in the packet, otherwise you have
to query for A and AAAA seperately?  Isn't there a race condition here?

If I have "ip6: no" in the config, is there a reason it is handling AAAA at

And if it matters, is a strange zone, in that it is served
by rbldnsd in lazy/minimal-answers mode that doesn't bother to fill out an
authoritative section.  This apparently saves a lot of bandwidth, and the
only claimed operational difference is that they have to wait longer for
recursive servers to notice nameserver changes.

> The 30 minutes sounds close to the 15 minute (900 second) default
> timeout on lameness detections.

I had it happen again and the outage lasted almost 4 hours, which more
closely matches the A/AAAA TTL.  I didn't manage to do any manual lookups at
the time, and I didn't leave logging enabled over the weekend, as the logs
grow way too quickly on this active nameserver.

I'll set up a testbed to try and reproduce.

> If it happens again can you query with dig +norec ?
> And dig +norec +cdflag +dnssec ?

I tried this out while it was operating normally, and it showed different
TTLs on A and AAAA:      8871    IN      A      8871    IN      A      10299   IN      AAAA    2001:7b8:3:1f:0:2:53:1

Also, only 3 of the nameservers offer either A or AAAA results with just
+norec.  I have to add +cdflag +dnssec to get As for all 22 nameservers. 
And for some reason, the AAAAs all have longer TTLs than the As.

                                     -- Aaron