FreeBSD's bundled unbound answers SERVFAIL

Patrick M. Hausen hausen at
Mon Feb 10 13:06:35 UTC 2020

Hi all,

> Am 10.02.2020 um 13:09 schrieb Daniel Ryšlink via Unbound-users <unbound-users at>:
> My bet would be that it's a phenomenon called "DNSSec death" caused by improperly implemented key rotation. Often, the new keys signed by the old keys are not published long enough in advance, and when the actual rotation is performed, the trust chain is broken (the new keys are not trusted by the resolver) and it answers SERVFAIL to every record in said zone until the old DNSSec-related records expire from the cache.

That would to our knowledge not be fixable by an unbound restart.
Plus the problem is not limited to a particular zone or set of zones but applies
to *every* recursive request. Including, as stated, one for the root servers:  ". ns".

Kind regards
-- GmbH
Patrick M. Hausen

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500
info at

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein

More information about the Unbound-users mailing list