Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Jan-Piet Mens
Mon Feb 21 08:44:09 CET 2011


Hello Paul,

>>        dig @127.0.0.1 +dnssec test.jpmens.org A        -> SERVFAIL
>>        dig @127.0.0.1 +dnssec test.jpmens.org SOA      -> SERVFAIL
>
> Those don't exist? And neither does any NS records?

The A exists, and BIND returns it. The SOA does not exist, and BIND
returns a NOERROR.

>> I've had to disable `harden-referral-path' because the NS RRset for
>> jpmens.org isn't yet signed.
>
> That should not matter. Hardening just queries multiple name servers for
> the same data to make spoofing harder. It does not mandate dnssec.

Thanks for the clarification.

> I think your problem is with your zone?

I don't think there is a problem with the zone, particularly because
a BIND replies correctly to these queries. If I restart Unbound, It 
starts off by also replying correctly. I've just restarted and give it

        dig @127.0.0.1 +dnssec test.jpmens.org a        -> NOERROR 
        dig @127.0.0.1 +dnssec test.jpmens.org sshfp    -> NOERROR
        dig @127.0.0.1 +dnssec test.jpmens.org any      -> SERVFAIL !

This is weird. Can it have something to do with the quite low TTL, which
is set to 120 on both A and SSHFP ?

        -JP