Problem with undead upstrems
Florian Streibelt
unboundlst at streibelt.net
Mon Feb 27 14:45:23 UTC 2023
Am 2023-02-27 14:00, schrieb Havard Eidnes:
>> I am new to unbound and this list, but was unable to find a solution
>> for my problem in the documentation and by searching.
>>
>> My issue is a set of authoritative nameservers that host a domain a
>> customer tries to resolve.
>>
>> Everything works fine, until we try to resolve a DS record within that
>> zone. All queries for DS are being ignored by the authoritatives of
>> that domain and just get dropped without any answer. Thus unbound
>> marks all of the servers unresponsive and will refuse to resolve
>> anything within that zone, although queries for other record types are
>> happily answered by the servers.
>
> I suspect you are falling victim to one of the more odd and
> perhaps unexpected quirks of DNSSEC.
>
> The DS records for a given name are in fact not authoritative in
> the zone named by the owner name of the DS record, but are
> instead authoritative in the parent (delegating) zone(!)
I know that. But that is not my issue, in fact it is completely
unrelated to DNSSEC.
It is just being triggered by querying DS records for certain domains
via our unbound.
The upstream nameservers will drop DS queries on the network layer and
not respond at all.
Our customer for some reason is sending DS queries to our unbound(s) for
these domains.
Unbound then tries to query the servers and gets no response.
As a result it marks them all as unresponsive and then will not resolve
any other records hosted on these nameservers, as they are internally
marked as down, responding with a SERVFAIL until the timer is expired to
re-query these servers.
Florian
More information about the Unbound-users
mailing list