unbound giving SERVFAIL behind OpenStack

[Felipe Gasper]

Hi all,

	I’m finding that from a VM in our OpenStack cluster if I `unbound-host` against an instance name of any VM, the query comes back SERVFAIL. When I do `unbound-host -dd $instance_name` I get a bit more detail:

-----
..snip..
[1621971918] libunbound[6945:0] info: processQueryTargets: servfail.cptest.tld. A IN
[1621971918] libunbound[6945:0] debug: request has exceeded the maximum number of sends with 33
[1621971918] libunbound[6945:0] debug: return error response SERVFAIL
[1621971918] libunbound[6945:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1621971918] libunbound[6945:0] info: validator operate: query servfail.cptest.tld. A IN
Host servfail.cptest.tld not found: 2(SERVFAIL).
-----

This is at the end of a chain of I guess 33 or so queries, each one apparently targeting a different DNS root server.

When I use any other name in the .tld domain, I get the expected NXDOMAIN response.

Unbound isn’t waiting any appreciable length of time before sending those other queries; just for some reason those specific names cause it to send tons of parallel queries. It looks like that MAX_SENT_COUNT isn’t configurable, so I’m wondering if there’s some undesirable behaviour here on Unbound’s part?

Thank you!

-FG