[Unbound-users] Unbound 1.4.8 returns sporadic SERVFAIL

Jan-Piet Mens unbound at mens.de
Mon Feb 21 07:44:09 UTC 2011

Hello Paul,

>>        dig @ +dnssec test.jpmens.org A        -> SERVFAIL
>>        dig @ +dnssec test.jpmens.org SOA      -> SERVFAIL
> Those don't exist? And neither does any NS records?

The A exists, and BIND returns it. The SOA does not exist, and BIND
returns a NOERROR.

>> I've had to disable `harden-referral-path' because the NS RRset for
>> jpmens.org isn't yet signed.
> That should not matter. Hardening just queries multiple name servers for
> the same data to make spoofing harder. It does not mandate dnssec.

Thanks for the clarification.

> I think your problem is with your zone?

I don't think there is a problem with the zone, particularly because
a BIND replies correctly to these queries. If I restart Unbound, It 
starts off by also replying correctly. I've just restarted and give it

        dig @ +dnssec test.jpmens.org a        -> NOERROR 
        dig @ +dnssec test.jpmens.org sshfp    -> NOERROR
        dig @ +dnssec test.jpmens.org any      -> SERVFAIL !

This is weird. Can it have something to do with the quite low TTL, which
is set to 120 on both A and SSHFP ?


More information about the Unbound-users mailing list