Maintained by: NLnet Labs

unbound resolving results in DNSSEC LAME / SERVFAIL… why?

martin f krafft
Tue Feb 9 07:55:06 CET 2016


Hello,

I am a bit baffled by the following problem. Running unbound 1.4.17
on a Debian machine, at irregular but frequent intervals, the
nameservers for madduck.net will be marked "lame". As a result,
names under madduck.net cannot be resolved.

At the same time, running dig +dnssec gives the expected results,
and it all seems proper.

Usually, the problem resolves itself after a bit of time, or after
clearing the infra cache, suggesting that the problem is
intermittent. But the madduck.net nameservers are certainly not
"lame", and their DNSSEC data is being refreshed according to
schedule.

Here is the verb=3 output from the unbound daemon:

  unbound: [2334:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
  unbound: [2334:0] info: iterator operate: query madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] info: processQueryTargets: madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] info: sending query: madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] debug: sending to target: <madduck.net.> 188.174.253.164#53
  unbound: [2334:0] debug: cache memory msg=2139671 rrset=3313082 infra=1892023 val=221731
  unbound: [2334:0] info: timeouts, concluded that connection to host drops EDNS packets 188.174.253.164 port 53
  unbound: [2334:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
  unbound: [2334:0] info: iterator operate: query madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] info: sanitize: removing extraneous answer RRset: smtp.h.madduck.net. A IN
  unbound: [2334:0] info: response for madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] info: reply from <madduck.net.> 188.174.253.164#53
  unbound: [2334:0] info: query response was DNSSEC LAME
  unbound: [2334:0] info: processQueryTargets: madduck-net.smtp.madduck.net. A IN
  unbound: [2334:0] debug: out of query targets -- returning SERVFAIL
  unbound: [2334:0] debug: return error response SERVFAIL

Can anyone make sense of what might be going on?

Thank you,

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"we all know linux is great...
 it does infinite loops in 5 seconds."
                                                   -- linus torvalds
 
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160209/b3f17a08/attachment.sig>