Maintained by: NLnet Labs

Unbound not always resolving immediately after start.

Daisuke HIGASHI
Mon Sep 14 14:15:18 CEST 2015


Hi,

SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500.
This fix essentially limits number of query (to authoritative servers)
to resolve target qname. If a qname requires many query to resolve
it becomes SERVFAIL This situation often occurs when cache is empty
(e.g. just after starting unbound or cache flush)

bind-users have discussed same issue last year:
  https://lists.isc.org/pipermail/bind-users/2014-December/thread.html

Possible workarounds are to increase MAX_TARGET_COUNT
(iterator/iterator.h) to relax number of query limitation but it may
reduce robustness against CVE-2014-8500-related attack.

Regards,
--
Daisuke HIIGASHI


2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users
<unbound-users at unbound.net>:
> Hi,
>
> Under FreeBSD I'm setting up a resolv-only unbound server. While testing
> I've noticed some domain do not resolve (server returns SERVFAIL)