[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL
Paul Wouters
paul at xelerance.com
Sun Feb 20 19:17:13 UTC 2011
On Sun, 20 Feb 2011, Jan-Piet Mens wrote:
> The following queries, and their reply codes: (the order of queries
> appears to be irrelevant)
>
> dig @127.0.0.1 +dnssec test.jpmens.org -> ANSWER
> dig @127.0.0.1 +dnssec test.jpmens.org ANY -> ANSWER
>
> dig @127.0.0.1 +dnssec test.jpmens.org SSHFP -> SERVFAIL
> dig @127.0.0.1 +dnssec test.jpmens.org SSHFP -> ANSWER
That worked for me on the first attempt.
;; ANSWER SECTION:
test.jpmens.org. 120 IN SSHFP 2 1 C74B4801FD01A68834FF45BACFA114FC3B0C47AA
test.jpmens.org. 120 IN RRSIG SSHFP 8 3 120 20110303000000 20110217000000 50853 jpmens.org. TBq2RoNNMkRv5bnesvjUIsIVVi/Yv0WAiB5527r2v8G5kGpJcUks/Y54 S3ZMc+Ys35EKE+5aQQ7wplioA3Mv59XZu0jeYecQI+Z4sWT4CJyIag9j vs97WjGfBshG8GvUqMjRpPwfa0ITGvHcCnVwpDudH2G2hsJz6cOecqqZ kbw=
> dig @127.0.0.1 +dnssec test.jpmens.org A -> SERVFAIL
> dig @127.0.0.1 +dnssec test.jpmens.org SOA -> SERVFAIL
Those don't exist? And neither does any NS records?
> I've had to disable `harden-referral-path' because the NS RRset for
> jpmens.org isn't yet signed.
That should not matter. Hardening just queries multiple name servers for
the same data to make spoofing harder. It does not mandate dnssec.
I think your problem is with your zone?
Paul
More information about the Unbound-users
mailing list