Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Jan-Piet Mens
Mon Feb 21 08:44:09 CET 2011

Hello Paul,

>>        dig @ +dnssec A        -> SERVFAIL
>>        dig @ +dnssec SOA      -> SERVFAIL
> Those don't exist? And neither does any NS records?

The A exists, and BIND returns it. The SOA does not exist, and BIND
returns a NOERROR.

>> I've had to disable `harden-referral-path' because the NS RRset for
>> isn't yet signed.
> That should not matter. Hardening just queries multiple name servers for
> the same data to make spoofing harder. It does not mandate dnssec.

Thanks for the clarification.

> I think your problem is with your zone?

I don't think there is a problem with the zone, particularly because
a BIND replies correctly to these queries. If I restart Unbound, It 
starts off by also replying correctly. I've just restarted and give it

        dig @ +dnssec a        -> NOERROR 
        dig @ +dnssec sshfp    -> NOERROR
        dig @ +dnssec any      -> SERVFAIL !

This is weird. Can it have something to do with the quite low TTL, which
is set to 120 on both A and SSHFP ?