Maintained by: NLnet Labs

[Unbound-users] Can't resolve

Sven Ulland
Sat Feb 18 12:44:04 CET 2012

On 2012-02-09 01:00:56 -0800, W.C.A. Wijngaards wrote:
 > On 02/09/2012 08:29 AM, Attila Nagy wrote:
 >> Running unbound r2580, I can't resolve I get
 >> SERVFAIL back. The server was running for some time, so it's not in
 >> a fresh state. It seems the problem is that facebook DNS servers
 >> time out on AAAA records, so unbound gets the false assumption that
 >> they are unavailable.
 > Well if you do not respond to queries, you deserve what you get.
 > DNS has noanswer-nodata packets and this is what should be used.
 > They do not implement RFC1034.  And for that facebook deserves to be
 > offline.

We ran into exactly the same problem with AAAA for last
week, and contacted them about it. They fixed it fairly quickly,
sometime within Feb 10th, so now their servers return an authoritative
NOERROR with an empty answer.

While the issue was on-going, we used PowerDNS recursors running
version 3.2. While v3.1 behaves the same way as Unbound in that it
doesn't "cache the timeout", v3.2 times out on the first try,
registers the result as SERVFAIL, and then caches the result for
a configurable time (packetcache-servfail-ttl, default 60 sec).

Would it make sense to have a similar, configurable behaviour in
Unbound to handle servers that time out in a way that would minimize
client lookup latency?

There was a similar thread about this in 2010 [1].


[1]: [Unbound-users] Setting max-time before servfail
Message-ID: 9a0178111001150607x6572b94cw44b93c0ff6a28178 at