Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Paul Wouters
Sun Feb 20 20:17:13 CET 2011


On Sun, 20 Feb 2011, Jan-Piet Mens wrote:

> The following queries, and their reply codes: (the order of queries
> appears to be irrelevant)
>
>        dig @127.0.0.1 +dnssec test.jpmens.org          -> ANSWER
>        dig @127.0.0.1 +dnssec test.jpmens.org ANY      -> ANSWER
>
>        dig @127.0.0.1 +dnssec test.jpmens.org SSHFP    -> SERVFAIL

>        dig @127.0.0.1 +dnssec test.jpmens.org SSHFP    -> ANSWER

That worked for me on the first attempt.

;; ANSWER SECTION:
test.jpmens.org.	120	IN	SSHFP	2 1 C74B4801FD01A68834FF45BACFA114FC3B0C47AA
test.jpmens.org.	120	IN	RRSIG	SSHFP 8 3 120 20110303000000 20110217000000 50853 jpmens.org. TBq2RoNNMkRv5bnesvjUIsIVVi/Yv0WAiB5527r2v8G5kGpJcUks/Y54 S3ZMc+Ys35EKE+5aQQ7wplioA3Mv59XZu0jeYecQI+Z4sWT4CJyIag9j vs97WjGfBshG8GvUqMjRpPwfa0ITGvHcCnVwpDudH2G2hsJz6cOecqqZ kbw=


>        dig @127.0.0.1 +dnssec test.jpmens.org A        -> SERVFAIL
>        dig @127.0.0.1 +dnssec test.jpmens.org SOA      -> SERVFAIL

Those don't exist? And neither does any NS records?

> I've had to disable `harden-referral-path' because the NS RRset for
> jpmens.org isn't yet signed.

That should not matter. Hardening just queries multiple name servers for
the same data to make spoofing harder. It does not mandate dnssec.

I think your problem is with your zone?

Paul