Problem with undead upstrems

Florian Streibelt unboundlst at
Mon Feb 27 15:31:14 UTC 2023

Am 2023-02-27 16:22, schrieb Havard Eidnes:
> I'm assuming your upstream name servers are providing recursive
> service to you.  If that's the case, to me it then sounds like
> the upstream name servers do not implement DNSSEC; refusing to
> look up "unusual" / "new" record types is a violation of the
> standard, I would think -- perhaps even irrespective of whether
> they implement DNSSEC or not.
> "Pick another upstream" would be my suggestion, if that's at all
> feasible.  Either that, or do your own recursive resolution, and
> don't rely on someone else bodging it for you :)

No, again that is not my issue.

All of the servers that operates are dropping queries for the 
Ressource Record Type DS.

They are the authoritative servers for as well as for the parent 
zone of the zone our customer wants to resolve and the zone itself.

We are providing recursion for our customer.

Our customer sends us DS queries, we try to query the respective servers 
but they will drop the queries silently which will make our unbound mark 
these servers as unresponsive and not query them any further.

When all authoritative servers for these domains are being marked 
unresponsive, our unbound will respond SRVFAIL to all queries that would 
be sent to those servers, making it impossible to resolve anything 
within zones hosted on those servers.


More information about the Unbound-users mailing list