Maintained by: NLnet Labs

[Unbound-users] Unbound answering SERVFAIL

W.C.A. Wijngaards
Tue Mar 17 09:05:29 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Ondřej Surý wrote:
> 2009/3/16 Cédric Girard <girard.cedric at gmail.com>:
>> 2009/3/16 Ondřej Surý <ondrej at sury.org>
>>> Hi Cédric,
>> Hi,
>>> does 192.168.2.2 serve . zone?
>>
>> No it does not. But (I'll double check) I'm not sure Unbound try to contact
>> the authoritative server.
> 
> According to the logfile Unbound is trying to prime root servers. And you
> specified servers for . in your db.root file and not servers for test, so you
> need to have full delegation path from '.' to your test zone.
> 
>> Also it was working fine with BIND. Do they have a different behavior on
>> that point ?
> 
> It's very much possible.

Yes, that is correct.  It seems like BIND is using the safety belt
(RFC1034) when priming fails, where unbound gives up when root priming
fails.

I think what you want is a stub-zone setup; here you can avoid your
priming trouble:

stub-zone:
	name: "."
	stub-addr: 192.168.2.2
	stub-prime: no

This is basically the same as the root-hints you have, but the
stub-prime: no setting makes it skip the priming step that is failing now.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm/WcgACgkQkDLqNwOhpPgrzQCcDW0ZnKmDAab2JBDtPBZNNCEx
rNAAn0mvCNatMpSI3r2PCWuUQzmuasnt
=KlBs
-----END PGP SIGNATURE-----