[Unbound-users] Strange SERVFAIL from unbound
Aaron Hopkins
lists at die.net
Fri Nov 14 10:21:30 UTC 2008
Unbound-users,
While experimenting with replacing dnscache with unbound, approximately
daily I've run into a strange situation where unbound 1.0.2 only answers
requests for zen.spamhaus.org RBL lookups with SERVFAIL for roughly half an
hour, then goes back to working normally.
I upped the verbosity and caught this in action. Hopefully this is the
right log section, as this is a fairly active mail server.
I noticed that unbound only logs ipv6 addresses here, yet this machine isn't
IPv6-capable. Are all IPv4 address expiring and it is refusing to fetch new
one for some reason? Is this some interesting interaction with "do-ip6: no"
and "harden-glue: yes", maybe?
Syslog output (all in the same second, so I stripped the time, etc):
info: validator operate: query <2.0.0.127.zen.spamhaus.org. TXT IN>
info: resolving <2.0.0.127.zen.spamhaus.org. TXT IN>
info: DelegationPoint<zen.spamhaus.org.>: 22 names (0 missing), 22 addrs (0 result, 22 avail)
info: 8.ns.spamhaus.org.*
info: 3.ns.spamhaus.org.*
info: 1.ns.spamhaus.org.*
info: 0.ns.spamhaus.org.*
info: y.ns.spamhaus.org.*
info: x.ns.spamhaus.org.*
info: t.ns.spamhaus.org.*
info: s.ns.spamhaus.org.*
info: r.ns.spamhaus.org.*
info: q.ns.spamhaus.org.*
info: o.ns.spamhaus.org.*
info: m.ns.spamhaus.org.*
info: l.ns.spamhaus.org.*
info: k.ns.spamhaus.org.*
info: i.ns.spamhaus.org.*
info: h.ns.spamhaus.org.*
info: g.ns.spamhaus.org.*
info: f.ns.spamhaus.org.*
info: d.ns.spamhaus.org.*
info: c.ns.spamhaus.org.*
info: b.ns.spamhaus.org.*
info: a.ns.spamhaus.org.*
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: resolving (init part 2): <2.0.0.127.zen.spamhaus.org. TXT IN>
info: resolving (init part 3): <2.0.0.127.zen.spamhaus.org. TXT IN>
info: processQueryTargets: <2.0.0.127.zen.spamhaus.org. TXT IN>
info: DelegationPoint<zen.spamhaus.org.>: 22 names (0 missing), 22 addrs (0 result, 22 avail)
info: 8.ns.spamhaus.org.*
info: 3.ns.spamhaus.org.*
info: 1.ns.spamhaus.org.*
info: 0.ns.spamhaus.org.*
info: y.ns.spamhaus.org.*
info: x.ns.spamhaus.org.*
info: t.ns.spamhaus.org.*
info: s.ns.spamhaus.org.*
info: r.ns.spamhaus.org.*
info: q.ns.spamhaus.org.*
info: o.ns.spamhaus.org.*
info: m.ns.spamhaus.org.*
info: l.ns.spamhaus.org.*
info: k.ns.spamhaus.org.*
info: i.ns.spamhaus.org.*
info: h.ns.spamhaus.org.*
info: g.ns.spamhaus.org.*
info: f.ns.spamhaus.org.*
info: d.ns.spamhaus.org.*
info: c.ns.spamhaus.org.*
info: b.ns.spamhaus.org.*
info: a.ns.spamhaus.org.*
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:1 port 53 (len 28)
info: ip6 2001:7b8:3:1f:0:2:53:2 port 53 (len 28)
Here's the dig that produced that query:
; <<>> DiG 9.2.4 <<>> 2.0.0.127.zen.spamhaus.org txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16072
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org. IN TXT
"dig zen.spamhaus.org ns" also produces SERVFAIL.
And here's the non-comment portion of my config (with some IPs replaced):
server:
verbosity: 2
statistics-interval: 3600
num-threads: 2
interface: 1.2.3.4
interface: 127.0.0.1
outgoing-range: 256
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 1.2.3.0/26 allow
access-control: 192.168.84.0/24 allow
chroot: "/var/unbound"
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/unbound/unbound.pid"
hide-version: yes
target-fetch-policy: "3 2 1 0 0"
harden-glue: yes
do-not-query-address: 127.0.0.0/8
do-not-query-address: 10.0.0.0/8
do-not-query-address: 172.16.0.0/12
do-not-query-address: 192.168.0.0/16
Is there something I'm obviously doing wrong here? If not, is there any
more information I can provide?
Thanks!
-- Aaron
More information about the Unbound-users
mailing list