serve-expired: "yes" and cache-min-ttl: 30 unsafe?

Ralph Dolmans ralph at
Thu Nov 15 10:13:45 UTC 2018

Hi Nick,

Sorry to hear Unbound has caused you problems. I'm trying to figure out
the reason of the observed SERVFAIL responses.

Was the serve-expired and cache-min-ttl configured on the Unbound
instance that has the forward configured, or the instance the queries
are forwarded to? Or both?

Any change the SERVFAILS were only for DNSSEC signed domains? Did you
had a change to see the reason for the SERVFAIL responses in the Unbound
log? Maybe the forwarder was returning expired DNSSEC signatures?

-- Ralph

On 25-10-18 09:10, Nick Urbanik via Unbound-users wrote:
> Dear Folks,
> Thank you for an excellent piece of software.
> I am puzzled by the behaviour of our multi-level DNS system which
> answered many queries for names having shorter TTLs with SERVFAIL.
> By multilevel, I mean clients talk to one server, which forwards to
> another, and for some clients, there is a third level of caching.
> So it was unwise to add:
> serve-expired: "yes"
> cache-min-ttl: 30
> to the server section of these DNS servers running unbound 1.6.8 on
> up to date RHEL 7?  Please could anyone cast some light on why this
> was so?  I will be spending some time examining the cause.
> If you need more information, please let me know.

More information about the Unbound-users mailing list