Getting SERVFAIL when trying to reach domains

Daisuke HIGASHI daisuke.higashi at
Fri Jan 1 09:28:53 UTC 2021


"" and ".il"  (seemingly under DNSSEC algorithm rollover) have
several errors. Current versions of Unbound in default configuration
tolerate them, but in a specific configuration Unbound could make
fatal errors.

Assuming [1] is your configuration file, the offending line is:

>   harden-algo-downgrade: yes

"harden-algo-downgrade: no" (this is the current default value) makes
Unbound tolerant.


More information about the Unbound-users mailing list