Problem with undead upstrems

Florian Streibelt unboundlst at
Mon Feb 27 14:45:23 UTC 2023

Am 2023-02-27 14:00, schrieb Havard Eidnes:
>> I am new to unbound and this list, but was unable to find a solution
>> for my problem in the documentation and by searching.
>> My issue is a set of authoritative nameservers that host a domain a
>> customer tries to resolve.
>> Everything works fine, until we try to resolve a DS record within that
>> zone. All queries for DS are being ignored by the authoritatives of
>> that domain and just get dropped without any answer. Thus unbound
>> marks all of the servers unresponsive and will refuse to resolve
>> anything within that zone, although queries for other record types are
>> happily answered by the servers.
> I suspect you are falling victim to one of the more odd and
> perhaps unexpected quirks of DNSSEC.
> The DS records for a given name are in fact not authoritative in
> the zone named by the owner name of the DS record, but are
> instead authoritative in the parent (delegating) zone(!)

I know that. But that is not my issue, in fact it is completely 
unrelated to DNSSEC.

It is just being triggered by querying DS records for certain domains 
via our unbound.

The upstream nameservers will drop DS queries on the network layer and 
not respond at all.

Our customer for some reason is sending DS queries to our unbound(s) for 
these domains.

Unbound then tries to query the servers and gets no response.

As a result it marks them all as unresponsive and then will not resolve 
any other records hosted on these nameservers, as they are internally 
marked as down, responding with a SERVFAIL until the timer is expired to 
re-query these servers.


More information about the Unbound-users mailing list