Problem with undead upstrems

Stefan Ubbink Stefan.Ubbink at sidn.nl
Mon Feb 27 12:37:29 UTC 2023 

On Mon, 27 Feb 2023 11:24:11 +0100
Florian Streibelt via Unbound-users <unbound-users at lists.nlnetlabs.nl>
wrote:

> Hi all,

Hello Florian,

> I am new to unbound and this list, but was unable to find a solution
> for my problem in the documentation and by searching.
> 
> My issue is a set of authoritative nameservers that host a domain a 
> customer tries to resolve.
> 
> Everything works fine, until we try to resolve a DS record within
> that zone. All queries for DS are being ignored by the authoritatives
> of that domain and just get dropped without any answer. Thus unbound
> marks all of the servers unresponsive and will refuse to resolve
> anything within that zone, although queries for other record types
> are happily answered by the servers.

Did you have a look what https://dnsviz.net thinks of the domain?

> I assume there is no way to tell unbound to ignore failing DS queries 
> for the "liveness check" or as an emergency workaround filter DS
> queries for a set of upstream servers?

You could try to add the domain with the domain-insecure option [1].


> Basically a combination of rpz matching the nameserver names and
> record type would to the trick, but that unfortunately is not defined
> in the rpz syntax and nothing similar seems to be implemented.
> 
> Using knot and its LUA support I was able to implement a workaround,
> but ideally I don't want to manually keep lists of broken servers up
> to date.
> 
> A feature or change in the way how unbound decides a server to be 
> unresponsive would be a good solution in my opinion, e.g. when only
> DS is dropped move to the next server and skip this one only for DS
> in the future with a SERVFAIL or something, but as long as it respons
> with A/AAAA or others don't remove it from the working set...

This seems a bad idea, because it is a workaround for people who are
serving DNS with a broken setup.
I my opinion the domain should be broken when it is broken.

> Happy for any hints how to handle that case. Of course I am already 
> trying to reach out to the operators of the upstream servers.

Without any information about the domain name itself, people can only
give general hints.

[1]
https://nlnetlabs.nl/documentation/unbound/unbound.conf/#domain-insecure

-- 
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230227/5956351d/attachment.bin>

More information about the Unbound-users mailing list