[Unbound-users] SERVFAIL for an abbreviated TLD local zone

martin f krafft madduck at madduck.net
Sun Dec 7 19:52:06 UTC 2014


Hey folks,

I am a bit baffled by the following problem and seek your advice.

I am on a LAN and 192.168.14.1/24 is running unbound
1.4.17-3+deb7u1. It is a recursive resolver, except that the zone
"gern" is forwarded to ::1 on the host, where nsd3 runs and resolves
them ("gern" is actually a 1:1 copy of gern.madduck.net, but I am
using the abbreviated zone internally).

This works just fine and all hosts on the LAN are happy.

I also have a laptop running unbound 1.4.22-2 (because I often need
to add local-zones and I have a few kvm instances on the host).
resolvconf configures unbound to use 192.168.14.1 as a forwarder,
and this also works just fine for all global domains, e.g.

  % grep nameserver /etc/resolv.conf
  nameserver 127.0.0.1

  % host debian.org | wc -l
  11

  % ping -nc1 debian.org
  PING debian.org (128.31.0.62) 56(84) bytes of data.
  64 bytes from 128.31.0.62: icmp_seq=1 ttl=53 time=265 ms
  […]

For the purpose of solving the problem at hand, I have reduced the
config to only have one directive:

  auto-trust-anchor-file: "/var/lib/unbound/root.key"

The problem is that any requests for the abbreviated "gern" zone
yield SERVFAIL.

  % host julia.gern
  Host julia.gern not found: 2(SERVFAIL)

but they work fine when addressed directly at the LAN DNS server:

  % host julia.gern 192.168.14.1
  julia.gern has address 192.168.14.2
  julia.gern has IPv6 address 2001:a60:f0fb:0:9eb6:54ff:fe0b:e5e4

Do you have any idea why unbound is failing on the abbreviated zone
requests?

I fI remove the auto-trust-anchor-file config directive, it works,
so it seems this is DNSSEC-related (none of my zones are signed
yet). Can someone enlighten me and help em understand what's going
on?

What's the best way to solve this?

Thanks!

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"it always takes longer than you expect, even when
 you take into account hofstadter's law."
                                                 -- douglas hofstadter
 
spamtraps: madduck.bogus at madduck.net




More information about the Unbound-users mailing list