Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Jan-Piet Mens
Sun Feb 20 18:24:15 CET 2011


I wonder if you could help me, please. I'm experiencing Unbound 1.4.8
compiled from source with built-in ldns returning SERVFAIL, although I
don't agree with it doing so :) FWIW, I cannot reproduce this when
validating with BIND: I've tried with both versions 9.7.2 and 9.8.0rc1.

The following queries, and their reply codes: (the order of queries
appears to be irrelevant)

        dig @ +dnssec          -> ANSWER
        dig @ +dnssec ANY      -> ANSWER

        dig @ +dnssec SSHFP    -> SERVFAIL

wait approx 10seconds:

        dig @ +dnssec SSHFP    -> ANSWER
        dig @ +dnssec A        -> SERVFAIL
        dig @ +dnssec SOA      -> SERVFAIL

At the time of the SERVFAIL, I see the following output:

        debug: out of query targets -- returning SERVFAIL
        debug: store error response in message cache
        debug: return error response SERVFAIL
        debug: mesh_run: iterator module exit state is module_finished
        debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
        info: validator operate: query < SOA IN>
        debug: validator: nextmodule returned
        debug: cannot validate non-answer, rcode SERVFAIL
        debug: mesh_run: validator module exit state is module_finished
        debug: query took 1.222387 sec
        info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 3 recursion replies sent, 0 replies dropped, 0 states jostled out
        info: average recursion processing time 1.181398 sec
        debug: cache memory msg=310695 rrset=338856 infra=26968 val=309379
        debug: svcd callbacks end
        debug: close of port 43479
        debug: close fd 7

I can reproduce this behavior on Fedora 14 with their packaged Unbound,
also 1.4.8.

Is there something wrong with the zone? 

My configuration is 

          verbosity: 1
          access-control: allow
          use-syslog: no 
          harden-glue: yes
          harden-referral-path: no
          auto-trust-anchor-file: "root.key"
          dlv-anchor-file: ""
          trust-anchor-file: "uno.aa"

I've had to disable `harden-referral-path' because the NS RRset for isn't yet signed.

Thank you & regards,