out of query targets -- returning SERVFAIL

ico ico at petrzalka.net
Thu Sep 14 11:00:41 UTC 2023 

Hello,

Today I upgraded unbound from 1.17.1 to 1.18.0 and noticed probably some 
behavior change. Something similar to this:

https://github.com/NLnetLabs/unbound/issues/267

To describe my problem:

After upgrade I wanted quickly to check the upgraded server (IPv4 only, 
IP 10.0.0.2) is running:

     # nslookup dennikn.sk. 10.0.0.2
     Server:         10.0.0.2
     Address:        10.0.0.2#53
     Non-authoritative answer:
     Name:   dennikn.sk
     Address: 92.60.51.23
     ** server can't find dennikn.sk: SERVFAIL

Eeehh.. SERVFAIL? Later I learned nslookup by default both A and AAAA 
records. It tried A record for dennikn.sk and got answer. Then it tried 
AAAA record and got error. Hmmm.. is there error with AAAA records in 
general? No, other AAAA records are resolved just fine:

     # nslookup -q=aaaa sme.sk. 10.0.0.2
     Server:         10.0.0.2
     Address:        10.0.0.2#53
     Non-authoritative answer:
     Name:   sme.sk
     Address: 2606:4700:10::6816:ce6
     Name:   sme.sk
     Address: 2606:4700:10::ac43:1651
     Name:   sme.sk
     Address: 2606:4700:10::6816:de6

I checked nameservers of domain dennikn.sk:

     # nslookup -q=ns dennikn.sk. 10.0.0.2
     Server:         10.0.0.2
     Address:        10.0.0.2#53
     Non-authoritative answer:
     dennikn.sk      nameserver = nss2.bonet.sk.
     dennikn.sk      nameserver = nss1.bntb.net.
     dennikn.sk      nameserver = nss1.bonet.sk.

I tried all of them, all of them answered "nothing" for AAAA query:

     # nslookup -q=aaaa dennikn.sk. nss1.bonet.sk
     Server:         ns1.bonet.sk
     Address:        185.91.200.2#53
     *** Can't find dennikn.sk: No answer

I tried to run unbound with verbosity:3 to inspect what is it doing. Of 
course, it tried to get AAAA records from all 3 of them and got no 
answer, I can see it in unbound's log file:

     Sep 14 11:36:14 unbound[19191:0] debug: out of query targets -- 
returning SERVFAIL

So to summarise it: upstream servers returned 3x "nothing" and unbound 
in turn returned error. How can I get it to return "nothing" for these 
cases? The way how previous version 1.17.1 did it.

Thank you.

ico

More information about the Unbound-users mailing list