Problem with undead upstrems
Stefan.Ubbink at sidn.nl
Mon Feb 27 12:37:29 UTC 2023
On Mon, 27 Feb 2023 11:24:11 +0100
Florian Streibelt via Unbound-users <unbound-users at lists.nlnetlabs.nl>
> Hi all,
> I am new to unbound and this list, but was unable to find a solution
> for my problem in the documentation and by searching.
> My issue is a set of authoritative nameservers that host a domain a
> customer tries to resolve.
> Everything works fine, until we try to resolve a DS record within
> that zone. All queries for DS are being ignored by the authoritatives
> of that domain and just get dropped without any answer. Thus unbound
> marks all of the servers unresponsive and will refuse to resolve
> anything within that zone, although queries for other record types
> are happily answered by the servers.
Did you have a look what https://dnsviz.net thinks of the domain?
> I assume there is no way to tell unbound to ignore failing DS queries
> for the "liveness check" or as an emergency workaround filter DS
> queries for a set of upstream servers?
You could try to add the domain with the domain-insecure option .
> Basically a combination of rpz matching the nameserver names and
> record type would to the trick, but that unfortunately is not defined
> in the rpz syntax and nothing similar seems to be implemented.
> Using knot and its LUA support I was able to implement a workaround,
> but ideally I don't want to manually keep lists of broken servers up
> to date.
> A feature or change in the way how unbound decides a server to be
> unresponsive would be a good solution in my opinion, e.g. when only
> DS is dropped move to the next server and skip this one only for DS
> in the future with a SERVFAIL or something, but as long as it respons
> with A/AAAA or others don't remove it from the working set...
This seems a bad idea, because it is a workaround for people who are
serving DNS with a broken setup.
I my opinion the domain should be broken when it is broken.
> Happy for any hints how to handle that case. Of course I am already
> trying to reach out to the operators of the upstream servers.
Without any information about the domain name itself, people can only
give general hints.
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users