Problem with undead upstrems
Florian Streibelt
unboundlst at streibelt.net
Mon Feb 27 15:31:14 UTC 2023
Am 2023-02-27 16:22, schrieb Havard Eidnes:
>
> I'm assuming your upstream name servers are providing recursive
> service to you. If that's the case, to me it then sounds like
> the upstream name servers do not implement DNSSEC; refusing to
> look up "unusual" / "new" record types is a violation of the
> standard, I would think -- perhaps even irrespective of whether
> they implement DNSSEC or not.
>
> "Pick another upstream" would be my suggestion, if that's at all
> feasible. Either that, or do your own recursive resolution, and
> don't rely on someone else bodging it for you :)
No, again that is not my issue.
All of the servers that dns.com operates are dropping queries for the
Ressource Record Type DS.
They are the authoritative servers for dns.com as well as for the parent
zone of the zone our customer wants to resolve and the zone itself.
We are providing recursion for our customer.
Our customer sends us DS queries, we try to query the respective servers
but they will drop the queries silently which will make our unbound mark
these servers as unresponsive and not query them any further.
When all authoritative servers for these domains are being marked
unresponsive, our unbound will respond SRVFAIL to all queries that would
be sent to those servers, making it impossible to resolve anything
within zones hosted on those servers.
Florian
More information about the Unbound-users
mailing list