Getting SERVFAIL when trying to reach .co.il domains

Fri Jan 1 11:06:58 UTC 2021

Thanks, Daisuke.

However, I'm past that line. While I will change the settings as you kindly
suggested (thank you for that), I'm encountering other issues which disable
me from using Unbound.
I shot an email earlier today with the following:

>
>    1. Cannot open log file (despite it's configured in unbound.conf)
>    2. Cannot use the unbound-checkconf utility
>
> I provided a link to my config file at the bottom.
> Appreciate your help!
>
> Gil
>
>
> *pi at raspberrypi:/etc/unbound $ sudo systemctl status unbound*
> ● unbound.service - Unbound DNS resolver
>    Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
> preset: enabled)
>    Active: active (running) since Fri 2021-01-01 10:44:56 AEDT; 19min ago
>   Process: 456 ExecStartPre=/usr/sbin/unbound-anchor -r
> /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
> status=0/SUCCESS)
>  Main PID: 481 (unbound)
>     Tasks: 1 (limit: 2063)
>    CGroup: /system.slice/unbound.service
>            └─481 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
>
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 198.41.0.4 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 192.33.4.12 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:dc3::35 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:500:1::53 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 2001:500:9f::42 port 53
> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
> libunbound[456:0] error: udp connect failed: Network is unreachable for
> 199.7.91.13 port 53
> Jan 01 10:44:56 raspberrypi unbound[481]: [1609458296] unbound[481:0] *error:
> Could not open logfile /var/log/unbound/unbound.log: No such file or
> directory*
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> notice: init module 0: validator
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> notice: init module 1: iterator
> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
> info: start of service (unbound 1.13.0).
>
> pi at raspberrypi:/var/log/unbound $ ls
> unbound.log
>
> pi at raspberrypi:/etc/unbound $ unbound-checkconf /etc/unbound/unbound.conf
> /etc/unbound/var/log/unbound: *No such file or directory*
> [1609459551] unbound-checkconf[1316:0] fatal error: logfile directory
> does not exist
>
> pi at raspberrypi:/etc/unbound $ ls
> root.hints  root.key  root.zone  unbound.conf  unbound_control.key
>  unbound_control.pem  unbound.log  unbound.pid  unbound_server.key
>  unbound_server.pem
>
> *unbound.conf* here -> https://pastebin.com/ZAUVFVEF
>

Any ideas what should I do? I'm really lost here and would like to keep
using unbound.

Thanks in advance.

On Fri, 1 Jan 2021 at 20:29, Daisuke HIGASHI <daisuke.higashi at gmail.com>
wrote:

> Hi,
>
> ".co.il" and ".il"  (seemingly under DNSSEC algorithm rollover) have
> several errors. Current versions of Unbound in default configuration
> tolerate them, but in a specific configuration Unbound could make
> fatal errors.
>
> Assuming [1] is your configuration file, the offending line is:
>
> >   harden-algo-downgrade: yes
>
> "harden-algo-downgrade: no" (this is the current default value) makes
> Unbound tolerant.
>
> [1] https://pastebin.com/ZAUVFVEF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210101/b137cd0d/attachment.htm>