Unbound (sometimes) fails to resolve expired entries

Havard Eidnes he at uninett.no
Fri Jun 12 13:24:56 UTC 2020


> I'm running here unbound 1.9.0-2+deb10u2 (1.9.0 + 3 fixes on top).
>
> I added a TXT record for testing. That record resolves fine on the first
> query which is fetched from the upstream DNS-server. Once TTL of the
> record expires the record is fetched again and the TTL is 1h.
> Sometimes I see NXDOMAIN reply with the SOA record instead. Looking at
> the query time, unbound did something. Looking at the TTL it appears
> that unbound thinks that this record is not existing based on DNSSEC.
>
> Here is a sample:
>
> | ;small._testentry.breakpoint.cc.        IN      TXT

https://dnsviz.net/d/small._testentry.breakpoint.cc/dnssec/

seems to indicate there are NSEC3 entries in the breakpoint.cc
zone which deny the existence of the quoted name.

Regards,

- Håvard


More information about the Unbound-users mailing list