Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Jan-Piet Mens
Sun Feb 20 18:24:15 CET 2011


Hello,

I wonder if you could help me, please. I'm experiencing Unbound 1.4.8
compiled from source with built-in ldns returning SERVFAIL, although I
don't agree with it doing so :) FWIW, I cannot reproduce this when
validating with BIND: I've tried with both versions 9.7.2 and 9.8.0rc1.


The following queries, and their reply codes: (the order of queries
appears to be irrelevant)

        dig @127.0.0.1 +dnssec test.jpmens.org          -> ANSWER
        dig @127.0.0.1 +dnssec test.jpmens.org ANY      -> ANSWER

        dig @127.0.0.1 +dnssec test.jpmens.org SSHFP    -> SERVFAIL

wait approx 10seconds:

        dig @127.0.0.1 +dnssec test.jpmens.org SSHFP    -> ANSWER
        dig @127.0.0.1 +dnssec test.jpmens.org A        -> SERVFAIL
        dig @127.0.0.1 +dnssec test.jpmens.org SOA      -> SERVFAIL


At the time of the SERVFAIL, I see the following output:

        debug: out of query targets -- returning SERVFAIL
        debug: store error response in message cache
        debug: return error response SERVFAIL
        debug: mesh_run: iterator module exit state is module_finished
        debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
        info: validator operate: query <test.jpmens.org. SOA IN>
        debug: validator: nextmodule returned
        debug: cannot validate non-answer, rcode SERVFAIL
        debug: mesh_run: validator module exit state is module_finished
        debug: query took 1.222387 sec
        info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 3 recursion replies sent, 0 replies dropped, 0 states jostled out
        info: average recursion processing time 1.181398 sec
        debug: cache memory msg=310695 rrset=338856 infra=26968 val=309379
        debug: svcd callbacks end
        debug: close of port 43479
        debug: close fd 7

I can reproduce this behavior on Fedora 14 with their packaged Unbound,
also 1.4.8.

Is there something wrong with the zone? 

My configuration is 

        server:
          verbosity: 1
          access-control: 0.0.0.0/0 allow
          use-syslog: no 
          harden-glue: yes
          harden-referral-path: no
          auto-trust-anchor-file: "root.key"
          dlv-anchor-file: "dlv.isc.org.key"
          trust-anchor-file: "uno.aa"
        python:
        remote-control:

I've had to disable `harden-referral-path' because the NS RRset for
jpmens.org isn't yet signed.

Thank you & regards,

        -JP