Maintained by: NLnet Labs

[Unbound-users] SERVFAIL with *some* names in a DNSSEC+DLV signed zone

Stephane Bortzmeyer
Tue Jun 30 14:14:35 CEST 2009


The zone absolight.net (signed and published in ISC DLV) puzzles
me. Some requests SERVFAIL but not others:

% dig ANY ns1.absolight.net. 
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33316

% dig ANY ns2.absolight.net.  
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901
...
ns2.absolight.net.      86245   IN      A       80.245.57.153

% dig A ns1.absolight.net.   
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13932
...
ns1.absolight.net.      86400   IN      A       79.143.240.129

The problem is DNSSEC-related since, if I add +cd, it works:

% dig +cd ANY ns1.absolight.net.   
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59487
...
ns1.absolight.net.      3420    IN      RRSIG   NSEC 5 3 3600 20090714212355 20090614212355 11595 absolight.net. 34zDPJjCt/H072EJd/54dydJV1xyXVMUHvyrfzrrqEBH/EX3JsqEk46Q embiOCOBUt1Rg/17LAJ96lYte556B2jjSOGH2jBkAki8X9feJNj4HIHP ULPCHsYYyw74ZFCK
ns1.absolight.net.      3420    IN      NSEC    ns1-6.absolight.net. A AAAA RRSIG NSEC
ns1.absolight.net.      86187   IN      AAAA    2a01:678:100:53::53
...

I admit I do not understand why a A requests work and not an ANY
request.

If I restart Unbound, *other* names in the zone fail and those which
failed now work.

BIND has no problem with this zone.

Unbound 1.2.0 and 1.3.0, Debian/Linux. All the tests have been done
with dlv.isc.org enabled.