Problem with undead upstrems

[Havard Eidnes]

> I know that. But that is not my issue, in fact it is completely
> unrelated to DNSSEC.

Ah.

> It is just being triggered by querying DS records for certain domains
> via our unbound.
>
> The upstream nameservers will drop DS queries on the network layer and
> not respond at all.
>
> Our customer for some reason is sending DS queries to our unbound(s)
> for these domains.
>
> Unbound then tries to query the servers and gets no response.
>
> As a result it marks them all as unresponsive and then will not
> resolve any other records hosted on these nameservers, as they are
> internally marked as down, responding with a SERVFAIL until the timer
> is expired to re-query these servers.

I'm assuming your upstream name servers are providing recursive
service to you.  If that's the case, to me it then sounds like
the upstream name servers do not implement DNSSEC; refusing to
look up "unusual" / "new" record types is a violation of the
standard, I would think -- perhaps even irrespective of whether
they implement DNSSEC or not.

"Pick another upstream" would be my suggestion, if that's at all
feasible.  Either that, or do your own recursive resolution, and
don't rely on someone else bodging it for you :)

Regards,

- Håvard