Maintained by: NLnet Labs

[Unbound-users] SERVFAIL for an abbreviated TLD local zone

martin f krafft
Sun Dec 7 20:52:06 CET 2014

Hey folks,

I am a bit baffled by the following problem and seek your advice.

I am on a LAN and is running unbound
1.4.17-3+deb7u1. It is a recursive resolver, except that the zone
"gern" is forwarded to ::1 on the host, where nsd3 runs and resolves
them ("gern" is actually a 1:1 copy of, but I am
using the abbreviated zone internally).

This works just fine and all hosts on the LAN are happy.

I also have a laptop running unbound 1.4.22-2 (because I often need
to add local-zones and I have a few kvm instances on the host).
resolvconf configures unbound to use as a forwarder,
and this also works just fine for all global domains, e.g.

  % grep nameserver /etc/resolv.conf

  % host | wc -l

  % ping -nc1
  PING ( 56(84) bytes of data.
  64 bytes from icmp_seq=1 ttl=53 time=265 ms

For the purpose of solving the problem at hand, I have reduced the
config to only have one directive:

  auto-trust-anchor-file: "/var/lib/unbound/root.key"

The problem is that any requests for the abbreviated "gern" zone

  % host julia.gern
  Host julia.gern not found: 2(SERVFAIL)

but they work fine when addressed directly at the LAN DNS server:

  % host julia.gern
  julia.gern has address
  julia.gern has IPv6 address 2001:a60:f0fb:0:9eb6:54ff:fe0b:e5e4

Do you have any idea why unbound is failing on the abbreviated zone

I fI remove the auto-trust-anchor-file config directive, it works,
so it seems this is DNSSEC-related (none of my zones are signed
yet). Can someone enlighten me and help em understand what's going

What's the best way to solve this?


@martinkrafft | |
"it always takes longer than you expect, even when
 you take into account hofstadter's law."
                                                 -- douglas hofstadter
spamtraps: madduck.bogus at