Getting SERVFAIL when trying to reach .co.il domains

[Daisuke HIGASHI]

Hi,

".co.il" and ".il"  (seemingly under DNSSEC algorithm rollover) have
several errors. Current versions of Unbound in default configuration
tolerate them, but in a specific configuration Unbound could make
fatal errors.

Assuming [1] is your configuration file, the offending line is:

>   harden-algo-downgrade: yes

"harden-algo-downgrade: no" (this is the current default value) makes
Unbound tolerant.

[1] https://pastebin.com/ZAUVFVEF