Unbound can't resolve certain domains

Fri Oct 18 09:32:04 UTC 2019

Hi,

just another data point and no final conclusion: we're running BIND
as recursors, and have also received reports that lookup of various
names under FreeBSD.org intermittently fails.  I've seen reports
about failing queries for at least

bugs.freebsd.org / a
_http._tcp.freebsd.org / srv

Our recursors run with DNSSEC validation enabled, and don't have any
"general problems with DNSSEC".

Passing either of those names above to the machinery at
https://dnsviz.net reveals no problems per se with the DNSSEC setup
for freebsd.org.  The only oddity I can find (this isn't really an
error), is that none of the zones where the name servers serving
freebsd.org are registered are DNSSEC-secured:

freebsd.org.            3600    IN      NS      ns2.isc-sns.com.
freebsd.org.            3600    IN      NS      ns3.isc-sns.info.
freebsd.org.            3600    IN      NS      ns1.isc-sns.net.

is the NS-set, but neither isc-sns.com. isc-sns.info nor isc-sns.net
are DNSSEC-secured (there is no DS record in the parent zone).

However, running this small script:

----------snip
#! /bin/sh

qn=bugs.freebsd.org.
# or point explicitly...
recursor=$(awk '/nameserver/{ print $2; exit; }' /etc/resolv.conf)

while true; do
        out=$(dig @$recursor $qn a)
        if ! expr "$out" : ".*, status: NOERROR" >/dev/null; then
                echo
                echo "$out"
                exit 1
        fi
        echo -n .
        sleep 30
done
----------snip

fails relatively quickly for me:

% ./check-bugs-freebsd-org.sh
..................

; <<>> DiG 9.10.5-P1 <<>> @2001:700:xx:xx::ca53 bugs.freebsd.org. a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60387
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bugs.freebsd.org.              IN      A

;; Query time: 3989 msec
;; SERVER: 2001:700:xx:xx::ca53#53(2001:700:xx:xx::ca53)
;; WHEN: Fri Oct 18 10:21:36 CEST 2019
;; MSG SIZE  rcvd: 45
%

The "query errors" log of BIND contains:

Oct 18 10:21:36 oliven named[20568]: client @0x7491477fb000 2001:700:x:0:xx:xx:xx:xx#51269 (bugs.freebsd.org): query failed (timed out) for bugs.freebsd.org/IN/A at query.c:6818
Oct 18 10:21:36 oliven named[20568]: client @0x7490e07fd000 a.b.c.d#54158 (bugs.freebsd.org): query failed (timed out) for bugs.freebsd.org/IN/A at query.c:6818

I also have a "dnscap" going, and I find this matches with these
queries:

10:21:32.961179 IP6 2001:700:x:0:xx:xx:xx:xx.51269 > 2001:700:xx:xx::ca53.53: 60387+ [1au] A? bugs.freebsd.org. (45)
10:21:33.971546 IP a.b.c.d.54158 > 158.38.0.168.53: 60387+ [1au] A? bugs.freebsd.org. (45)
10:21:34.019102 IP6 2001:700:xx:xx::ca53.56594 > 2001:5a0:10::1.53: 317% [1au] AAAA? ns2.isc-sns.com. (56)
10:21:34.019319 IP6 2001:700:xx:xx::ca53.53327 > 2001:5a0:10::1.53: 14440% [1au] A? ns3.isc-sns.info. (57)
10:21:36.949709 IP6 2001:700:xx:xx::ca53.53 > 2001:700:x:0:xx:xx:xx:xx.51269: 60387 ServFail 0/0/1 (45)
10:21:36.949747 IP 158.38.0.168.53 > a.b.c.d.54158: 60387 ServFail 0/0/1 (45)

It also seems that the queries to 2001:5a0:10::1 for ns2.isc-sns.com
and ns3.isc-sns.info went unanswered -- there's no further trace of
those query-IDs in the dnscap log.

It doesn't seem that the SERVFAIL is caused by DNSSEC validation
failure, at least.  The next candidate on the list is probably
(temporarily) unresponsive publishing name servers(?)

Best regards,

- Håvard