serve-expired: "yes" and cache-min-ttl: 30 unsafe?

[Nick Urbanik]

Dear Ralph,

On 15/11/18 11:13 +0100, Ralph Dolmans via Unbound-users wrote:
>Sorry to hear Unbound has caused you problems. I'm trying to figure out
>the reason of the observed SERVFAIL responses.

Thank you.

>Was the serve-expired and cache-min-ttl configured on the Unbound
>instance that has the forward configured, or the instance the queries
>are forwarded to? Or both?

Both.

>Any change the SERVFAILS were only for DNSSEC signed domains?

No, a particular name in our domain which is not signed often came
back with SERVFAIL after it expired from the cache.

>Did you had a change to see the reason for the SERVFAIL responses in
>the Unbound log? Maybe the forwarder was returning expired DNSSEC
>signatures?

There were many SERVFAIL responses for queries for DS records.

>-- Ralph
>
>On 25-10-18 09:10, Nick Urbanik via Unbound-users wrote:
>> Dear Folks,
>> 
>> Thank you for an excellent piece of software.
>> 
>> I am puzzled by the behaviour of our multi-level DNS system which
>> answered many queries for names having shorter TTLs with SERVFAIL.
>> 
>> By multilevel, I mean clients talk to one server, which forwards to
>> another, and for some clients, there is a third level of caching.
>> 
>> So it was unwise to add:
>> serve-expired: "yes"
>> cache-min-ttl: 30
>> 
>> to the server section of these DNS servers running unbound 1.6.8 on
>> up to date RHEL 7?  Please could anyone cast some light on why this
>> was so?  I will be spending some time examining the cause.
>> 
>> If you need more information, please let me know.
-- 
Nick Urbanik             http://nicku.org           nicku at nicku.org
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24