FreeBSD's bundled unbound answers SERVFAIL

Daniel Ryšlink ryslink at dialtelecom.cz
Mon Feb 10 12:09:16 UTC 2020


Hello,

My bet would be that it's a phenomenon called "DNSSec death" caused by 
improperly implemented key rotation. Often, the new keys signed by the 
old keys are not published long enough in advance, and when the actual 
rotation is performed, the trust chain is broken (the new keys are not 
trusted by the resolver) and it answers SERVFAIL to every record in said 
zone until the old DNSSec-related records expire from the cache.

It maybe a long shot without actual diagnosis done on the matter, but I 
have encountered these symptoms before on domains with improperly 
implemented DNS key management on their authoritative nameservers.

-- 
S pozdravem,
Daniel Ryšlink

On 10. 02. 20 12:02, Patrick M. Hausen via Unbound-users wrote:
> Hi all,
>
> we are experiencing weird failures for local unbound installations
> on FreeBSD. Under circumstances that we are not able to pinpoint
> yet, the service answers SERVFAIL for every single request
> including e.g. ". ns".
>
> unbound-control flush-negative or flush-bogus does not fix the
> problem, only a complete restart does so immediately.
> If we do not restart the service the problem vanishes again after
> some time between 12 and 90 minutes maximum.
>
> The version bundled seems to be 1.5.10.
>
> Is this a known problem in this somewhat older version?
> We could replace it with one from FreeBSD ports/packages.
>
> If not, how would one go about getting more diagnostic output?
>
> Thanks in advance,
> Patrick


More information about the Unbound-users mailing list