[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL
Jan-Piet Mens
unbound at mens.de
Mon Feb 21 07:44:09 UTC 2011
Hello Paul,
>> dig @127.0.0.1 +dnssec test.jpmens.org A -> SERVFAIL
>> dig @127.0.0.1 +dnssec test.jpmens.org SOA -> SERVFAIL
>
> Those don't exist? And neither does any NS records?
The A exists, and BIND returns it. The SOA does not exist, and BIND
returns a NOERROR.
>> I've had to disable `harden-referral-path' because the NS RRset for
>> jpmens.org isn't yet signed.
>
> That should not matter. Hardening just queries multiple name servers for
> the same data to make spoofing harder. It does not mandate dnssec.
Thanks for the clarification.
> I think your problem is with your zone?
I don't think there is a problem with the zone, particularly because
a BIND replies correctly to these queries. If I restart Unbound, It
starts off by also replying correctly. I've just restarted and give it
dig @127.0.0.1 +dnssec test.jpmens.org a -> NOERROR
dig @127.0.0.1 +dnssec test.jpmens.org sshfp -> NOERROR
dig @127.0.0.1 +dnssec test.jpmens.org any -> SERVFAIL !
This is weird. Can it have something to do with the quite low TTL, which
is set to 120 on both A and SSHFP ?
-JP
More information about the Unbound-users
mailing list