Maintained by: NLnet Labs

[Unbound-users] unbound handling of SERVFAIL response code

Lamers, Brian J (Brian)
Mon Apr 22 16:02:21 CEST 2013


Our product uses unbound DNS recursor as a simple forwarding interface to remote DNS servers owned by the customer. In this case there are two DNS servers in the customer network and the assumption is unbound will choose the server based on RTT (RoundTripTime) delay.

Recently, our customer had some issues with one of their DNS servers (they were not specific), but from tcpdump output it appears the DNS server responded to NAPTR requests very quickly (<1 msec) but had SERVFAIL (2) as the response code. The customer claims the other DNS server did not have issues but was not chosen (response took longer - maybe several msecs). The customer complained that the other server should have been selected instead of choosing the 'bad' server responses.

I have seen the discussion on how unbound selects which server to use based on RTT but it seems like it is designed more for handling network connectivity issues, timeouts and such. So what is the expected behavior when DNS responses are received but have a response code other then NOERROR (particulary SERVFAIL)? Is there any documents or discussions on this? Is there any settings (configurations) which would change behavior in this case?

Thanks for any feedback/suggestions,
Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130422/a8e20c24/attachment.html>