Problem with undead upstrems

[Florian Streibelt]

Hi all,

I am new to unbound and this list, but was unable to find a solution for 
my problem in the documentation and by searching.

My issue is a set of authoritative nameservers that host a domain a 
customer tries to resolve.

Everything works fine, until we try to resolve a DS record within that 
zone. All queries for DS are being ignored by the authoritatives of that 
domain and just get dropped without any answer. Thus unbound marks all 
of the servers unresponsive and will refuse to resolve anything within 
that zone, although queries for other record types are happily answered 
by the servers.

I assume there is no way to tell unbound to ignore failing DS queries 
for the "liveness check" or as an emergency workaround filter DS queries 
for a set of upstream servers?

Basically a combination of rpz matching the nameserver names and record 
type would to the trick, but that unfortunately is not defined in the 
rpz syntax and nothing similar seems to be implemented.

Using knot and its LUA support I was able to implement a workaround, but 
ideally I don't want to manually keep lists of broken servers up to 
date.

A feature or change in the way how unbound decides a server to be 
unresponsive would be a good solution in my opinion, e.g. when only DS 
is dropped move to the next server and skip this one only for DS in the 
future with a SERVFAIL or something, but as long as it respons with 
A/AAAA or others don't remove it from the working set...


Happy for any hints how to handle that case. Of course I am already 
trying to reach out to the operators of the upstream servers.


Florian