serve-expired: "yes" and cache-min-ttl: 30 unsafe?

Nick Urbanik nicku at
Sun Oct 28 19:20:17 UTC 2018

Dear Folks,

On 25/10/18 18:10 +1100, Nick Urbanik via Unbound-users wrote:
>I am puzzled by the behaviour of our multi-level DNS system which
>answered many queries for names having shorter TTLs with SERVFAIL.

I mean that SERVFAILs went up to 50% of replies, and current names
with TTLs of around 300 failed to be fetched by the resolver, the last
DNS servers in the chain.  What I mean is that adding these two
configuration options (serve-expired: "yes" and cache-min-ttl: 30)
caused an outage.  I am trying to understand why.

Any ideas in understanding the mechanism would be very welcome.

>By multilevel, I mean clients talk to one server, which forwards to
>another, and for some clients, there is a third level of caching.
>So it was unwise to add:
>serve-expired: "yes"
>cache-min-ttl: 30
>to the server section of these DNS servers running unbound 1.6.8 on
>up to date RHEL 7?  Please could anyone cast some light on why this
>was so?  I will be spending some time examining the cause.
>If you need more information, please let me know.
Nick Urbanik              nicku at
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24

More information about the Unbound-users mailing list