FreeBSD's bundled unbound answers SERVFAIL
Patrick M. Hausen
hausen at punkt.de
Mon Feb 10 13:06:35 UTC 2020
Hi all,
> Am 10.02.2020 um 13:09 schrieb Daniel Ryšlink via Unbound-users <unbound-users at lists.nlnetlabs.nl>:
> My bet would be that it's a phenomenon called "DNSSec death" caused by improperly implemented key rotation. Often, the new keys signed by the old keys are not published long enough in advance, and when the actual rotation is performed, the trust chain is broken (the new keys are not trusted by the resolver) and it answers SERVFAIL to every record in said zone until the old DNSSec-related records expire from the cache.
That would to our knowledge not be fixable by an unbound restart.
Plus the problem is not limited to a particular zone or set of zones but applies
to *every* recursive request. Including, as stated, one for the root servers: ". ns".
Kind regards
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure
Kaiserallee 13a
76133 Karlsruhe
Tel. +49 721 9109500
https://infrastructure.punkt.de
info at punkt.de
AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
More information about the Unbound-users
mailing list