Re: Unbound + single localhost nsd starts return SERVFAIL for local names after several minutes of normal work

Dmitri Stepanov dstep at mail.ru
Fri Mar 31 15:44:09 UTC 2023 

I have two large enough (150-200 hosts) segments of internal network, 10.XXX.0.0 and 10.YYY.0.0. They are linked through Internet, speed is not like local but high enough - about 50Mb/s. I used two authoritative bind servers and three (two in one segment, one in the second) recursive also bind ones. For making bind, unbound and nsd configuration and zone files I'm using hostdb package, so all authoritative and recursive servers are generated and distributed to at once by the hostdb.
Now I like to reconstruct dns. I've created in place of my three recursive servers three combined ones with unbound and nsd which local only listen on separate port.
This works fine first several minutes after reload unbound, and then for local names - SERVFAIL all the configured stub or forward servers failed, at zone abc.local. At the same time, Internet names continue to be resolved normally.
Unbound:
server:
        interface: 0.0.0.0
        do-not-query-localhost: no
 
stub-zone:
        name: "abc.local"
        stub-addr: 127.0.0.1 at 5678
 
stub-zone:
        name: "10.in-addr.arpa."
        stub-addr: 127.0.0.1 at 5678
 
forward-zone:
        name: "."
        forward-addr: 8.8.8.8
 
I'm not sure which is the source of this problem - unbound or nsd. Nsd has no such diagnostic, but dig -p 5678 @127.0.0.1 localname.abc.local works fine.
 
It is difficult to catch the moment when it starts to SERVFAIL.
Looks like some resources are running out.
 
I've returned two separated authoritative servers, so now it is like:
stub-zone:
        name: "abc.local"
        stub-addr: 127.0.0.1 at 5678
        stub-addr: ipofauthserver1
        stub-addr: ipofauthserver2
 
Despite that there are not many hosts within the network, there are about 10,000 names in local DNS zones.
 
All my dns servers are OpenBSD 6.5-7.0 64 bit virtual machines which are running in several free ESXi 5.5 and 7.3 servers.
Unbound 1.8.1 — 1.13.2
 
Does anybody bump in the same situation when unbound after several minutes of normal work stops resolve local names with SERVFAIL if it has only one local nsd source of local names?
I think such configuration with unbound + nsd on one host is reasonable for home users for example.
 
Regards
Dmitri Stepanov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230331/69f9e562/attachment.htm>

More information about the Unbound-users mailing list