Getting SERVFAIL when trying to reach .co.il domains

Havard Eidnes he at uninett.no
Thu Dec 31 12:39:54 UTC 2020


> Using Unbound 1.9.0 on Raspberry Pi with Pihole.
>
> Since two days ago I cannot access .co.il domains, such as hwzone.co.il or
> ynet.co.il.

The analysis tool at https://dnsviz.net/ seems to indicate there's a
problem with the DNSSEC setup for both .IL and .CO.IL, ref.

https://dnsviz.net/d/hwzone.co.il/dnssec/

The recurring message seems to be that e.g. the DNSKEY RRset for .IL
includes a key with algorithm 13 (ECDSAP256SHA256), but no
corresponding RRSIG can be found, and the same for the .CO.IL domain.

Whether that should be a fatal error is another matter, it probably
should not, as long as there exists other keys where there exists a
matching RRSIG.  Newer unbound (e.g. 1.12.0) does not make this a
fatal error, and resolves those names just fine.

Regards,

- Håvard


More information about the Unbound-users mailing list