Getting SERVFAIL when trying to reach .co.il domains

Unbound unbound at tacomawireless.net
Fri Jan 1 11:23:34 UTC 2021 

On 2021-01-01 03:06, Gil Levy via Unbound-users wrote:
> Thanks, Daisuke.
> 
> However, I'm past that line. While I will change the settings as you kindly
> suggested (thank you for that), I'm encountering other issues which disable
> me from using Unbound.
> I shot an email earlier today with the following:
> 
> 
>> 
>>    1. Cannot open log file (despite it's configured in unbound.conf)
>>    2. Cannot use the unbound-checkconf utility
>> 
>> I provided a link to my config file at the bottom.
>> Appreciate your help!
>> 
>> Gil
>> 
>> 
>> *pi at raspberrypi:/etc/unbound $ sudo systemctl status unbound*
>> ● unbound.service - Unbound DNS resolver
>>    Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
>> preset: enabled)
>>    Active: active (running) since Fri 2021-01-01 10:44:56 AEDT; 19min ago
>>   Process: 456 ExecStartPre=/usr/sbin/unbound-anchor -r
>> /etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
>> status=0/SUCCESS)
>>  Main PID: 481 (unbound)
>>     Tasks: 1 (limit: 2063)
>>    CGroup: /system.slice/unbound.service
>>            └─481 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
>> 
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 198.41.0.4 port 53
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 192.33.4.12 port 53
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 2001:dc3::35 port 53
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 2001:500:1::53 port 53
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 2001:500:9f::42 port 53
>> Jan 01 10:44:56 raspberrypi unbound-anchor[456]: [1609458296]
>> libunbound[456:0] error: udp connect failed: Network is unreachable for
>> 199.7.91.13 port 53
>> Jan 01 10:44:56 raspberrypi unbound[481]: [1609458296] unbound[481:0] 
>> *error:
>> Could not open logfile /var/log/unbound/unbound.log: No such file or
>> directory*
>> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
>> notice: init module 0: validator
>> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
>> notice: init module 1: iterator
>> Jan 01 10:44:57 raspberrypi unbound[481]: [1609458297] unbound[481:0]
>> info: start of service (unbound 1.13.0).
>> 
>> pi at raspberrypi:/var/log/unbound $ ls
>> unbound.log
>> 
>> pi at raspberrypi:/etc/unbound $ unbound-checkconf /etc/unbound/unbound.conf
>> /etc/unbound/var/log/unbound: *No such file or directory*
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I won't speak for all your woes. But this line (above) says it all.
On one hand you indicate your log file is located here:
>> pi at raspberrypi:/var/log/unbound $ ls
>> unbound.log
But apparently your unbound.conf file indicates it's here:
>> /etc/unbound/var/log/unbound

See the difference?
Are you running unbound in a chroot(8)?

>> [1609459551] unbound-checkconf[1316:0] fatal error: logfile directory
>> does not exist
>> 
>> pi at raspberrypi:/etc/unbound $ ls
>> root.hints  root.key  root.zone  unbound.conf  unbound_control.key
>>  unbound_control.pem  unbound.log  unbound.pid  unbound_server.key
>>  unbound_server.pem
>> 
>> *unbound.conf* here -> https://pastebin.com/ZAUVFVEF
>> 
> 
> Any ideas what should I do? I'm really lost here and would like to keep
> using unbound.
> 
> Thanks in advance.
> 
> On Fri, 1 Jan 2021 at 20:29, Daisuke HIGASHI <daisuke.higashi at gmail.com>
> wrote:
> 
>> Hi,
>> 
>> ".co.il" and ".il"  (seemingly under DNSSEC algorithm rollover) have
>> several errors. Current versions of Unbound in default configuration
>> tolerate them, but in a specific configuration Unbound could make
>> fatal errors.
>> 
>> Assuming [1] is your configuration file, the offending line is:
>> 
>> >   harden-algo-downgrade: yes
>> 
>> "harden-algo-downgrade: no" (this is the current default value) makes
>> Unbound tolerant.
>> 
>> [1] https://pastebin.com/ZAUVFVEF
>>

More information about the Unbound-users mailing list