Maintained by: NLnet Labs

New forward zone records only on restart

W.C.A. Wijngaards
Thu Apr 7 09:07:36 CEST 2016


Hi Scott,

The neg-cache-size does not do what you want, it caches DNSSEC
information, for DS lookups.  So changing it won't fix your problem.

Did you try to dig +cdflag ?  Does the servfail disappear?  If so, you
have a DNSSEC problem.  Set val-log-level: 2 in your unbound.conf and
it'll printout a validator error.

You have forward statements, but really, to contact authority servers
you should use stub statements.  An improvement, unlikely the bug.

Do you need domain-insecure for the internal zones?  You have it for the
reverse zone but not your own?

If not, such servfails are only cached very briefly.  Wait a couple
seconds, set verbosity to 4 on unbound, and dig at it.  Those logs then
tell you what unbound is seeing, including wire 'dig like' output of
what it gets from your authority servers.

Best regards, Wouter

On 07/04/16 04:53, John (Scott) Crooks via Unbound-users wrote:
> I don't have it explicitly defined, so it's the default at
> `neg-cache-size: 1m`. You recommend to set it to `0` and not cache any
> of the failed queries?
> 
> On Wed, Apr 6, 2016 at 2:00 PM, Eduardo Schoedler <listas at esds.com.br
> <mailto:listas at esds.com.br>> wrote:
> 
>     negative-cache perhaps?
> 
>     --
>     Eduardo Schoedler
> 
>     2016-04-06 16:31 GMT-03:00 John (Scott) Crooks via Unbound-users
>     <unbound-users at unbound.net <mailto:unbound-users at unbound.net>>:
>     > Greetings,
>     >
>     > I'm using Unbound as a recursing DNS server in our company office
>     > infrastructure. Here is the link to my `unbound.conf` file:
>     > https://gist.github.com/sc250024/5874948dceac674df53579c2a13d051d
>     >
>     > The `forward-zone` entries point to two PowerDNS servers that are
>     > authoritative for those domains listed in the configuration. Both
>     PowerDNS
>     > servers are using a typical MySQL backend, and they are in a
>     Master-Slave
>     > configuration.
>     >
>     > I notice that when I add new records to the authoritative servers,
>     Unbound
>     > does not successfully resolve these records UNTIL I restart the
>     Unbound
>     > daemon. In other words:
>     >
>     > `dig @10.0.32.6 <http://10.0.32.6> somenewrecord.infra.company.com
>     <http://somenewrecord.infra.company.com>` <<-- Works since I'm
>     > querying the authoritative server directly
>     > `dig somenewrecord.infra.company.com
>     <http://somenewrecord.infra.company.com>` <<-- Returns a SERVFAIL
>     until I
>     > restart the Unbound daemon
>     >
>     > Is this typical behavior? What am I doing wrong?
>     >
>     > --
>     > Scott Crooks
> 
> 
> 
> 
> -- 
> 
> Scott Crooks |DevOps Engineer
> 
> 971.266.9761 <tel:971.266.9761>|
> 
> scott.crooks at vacasa.com <mailto:scott.crooks at vacasa.com>
> 
> vacasa.com <http://vacasa.com/>
> 
> Vacation rentals made easy®
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160407/37d66901/attachment-0001.sig>