FreeBSD's bundled unbound answers SERVFAIL
Daniel Ryšlink
ryslink at dialtelecom.cz
Mon Feb 10 12:09:16 UTC 2020
Hello,
My bet would be that it's a phenomenon called "DNSSec death" caused by
improperly implemented key rotation. Often, the new keys signed by the
old keys are not published long enough in advance, and when the actual
rotation is performed, the trust chain is broken (the new keys are not
trusted by the resolver) and it answers SERVFAIL to every record in said
zone until the old DNSSec-related records expire from the cache.
It maybe a long shot without actual diagnosis done on the matter, but I
have encountered these symptoms before on domains with improperly
implemented DNS key management on their authoritative nameservers.
--
S pozdravem,
Daniel Ryšlink
On 10. 02. 20 12:02, Patrick M. Hausen via Unbound-users wrote:
> Hi all,
>
> we are experiencing weird failures for local unbound installations
> on FreeBSD. Under circumstances that we are not able to pinpoint
> yet, the service answers SERVFAIL for every single request
> including e.g. ". ns".
>
> unbound-control flush-negative or flush-bogus does not fix the
> problem, only a complete restart does so immediately.
> If we do not restart the service the problem vanishes again after
> some time between 12 and 90 minutes maximum.
>
> The version bundled seems to be 1.5.10.
>
> Is this a known problem in this somewhat older version?
> We could replace it with one from FreeBSD ports/packages.
>
> If not, how would one go about getting more diagnostic output?
>
> Thanks in advance,
> Patrick
More information about the Unbound-users
mailing list