Unbound (sometimes) fails to resolve expired entries

Havard Eidnes he at uninett.no
Fri Jun 12 13:24:56 UTC 2020

> I'm running here unbound 1.9.0-2+deb10u2 (1.9.0 + 3 fixes on top).
> I added a TXT record for testing. That record resolves fine on the first
> query which is fetched from the upstream DNS-server. Once TTL of the
> record expires the record is fetched again and the TTL is 1h.
> Sometimes I see NXDOMAIN reply with the SOA record instead. Looking at
> the query time, unbound did something. Looking at the TTL it appears
> that unbound thinks that this record is not existing based on DNSSEC.
> Here is a sample:
> | ;small._testentry.breakpoint.cc.        IN      TXT


seems to indicate there are NSEC3 entries in the breakpoint.cc
zone which deny the existence of the quoted name.


- Håvard

More information about the Unbound-users mailing list