1000s of "SERVFAIL . . . service.arpa" messages

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Tue Jan 14 16:31:57 UTC 2025 

Thanks Olivier,
I added both on the current master branch.
(https://github.com/NLnetLabs/unbound/commit/f52b2a6ea251749bb7c85e2074a6c17e28d2ae81)

Best regards,
-- Yorgos

On 14/01/2025 16:37, Olivier Benghozi via Unbound-users wrote:
> By the way it looks like
> https://www.iana.org/assignments/locally-served-dns-zones/locally- 
> served-dns-zones.xhtml <https://www.iana.org/assignments/locally-served- 
> dns-zones/locally-served-dns-zones.xhtml>
> also includes the zone resolver.arpa [RFC9462] to be served the same way...
> 
> 
> Le mar. 14 janv. 2025 à 15:41, Yorgos Thessalonikefs via Unbound-users 
> <unbound-users at lists.nlnetlabs.nl <mailto:unbound- 
> users at lists.nlnetlabs.nl>> a écrit :
> 
>     Hi Jon,
> 
>     We will probably include this in the future.
>     For now you can configure your current Unbound to have the same
>     behavior
>     as with home.arpa with:
> 
>     local-zone: "service.arpa." static
>     local-data: "service.arpa. 10800 IN NS localhost."
>     local-data: "service.arpa. 10800 IN SOA localhost. nobody.invalid. 1
>     3600 1200 604800 10800"
> 
>     which is the default content for home.arpa taken from the manpage
>     (https://unbound.docs.nlnetlabs.nl/en/latest/manpages/
>     unbound.conf.html#unbound-conf-local-zone <https://
>     unbound.docs.nlnetlabs.nl/en/latest/manpages/
>     unbound.conf.html#unbound-conf-local-zone>);
>     further down where it notes the default local zones.
> 
>     Best regards,
>     -- Yorgos
> 
>     On 10/01/2025 20:21, Jon Murphy via Unbound-users wrote:
>      > Hello,
>      >
>      > Happy new year everyone!
>      >
>      > Since the beginning of October 2024 I have been seeing lots of
>     these messages:
>      >
>      > ```
>      > Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL
>     <default.service.arpa. SOA IN>: all the configured stub or forward
>     servers failed, at zone . from 149.112.112.112 got SERVFAIL
>      > Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL
>     <service.arpa. SOA IN>: all the configured stub or forward servers
>     failed, at zone . from 149.112.112.11 got SERVFAIL
>      > Oct  2 17:53:32 ipfire unbound: [15153:0] error: SERVFAIL
>     <_matter._tcp.default.service.arpa. PTR IN>: all the configured stub
>     or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
>      > Oct  2 17:53:40 ipfire unbound: [15153:0] error: SERVFAIL
>     <_L1234._sub._matterc._udp.default.service.arpa. SOA IN>: all the
>     configured stub or forward servers failed, at zone . from
>     149.112.112.11 got SERVFAIL
>      > Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL
>     <_sub._matterc._udp.default.service.arpa. SOA IN>: all the
>     configured stub or forward servers failed, at zone . from 9.9.9.11
>     got SERVFAIL
>      > Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL
>     <_matterc._udp.default.service.arpa. SOA IN>: all the configured
>     stub or forward servers failed, at zone . from 149.112.112.112 got
>     SERVFAIL
>      > Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL
>     <_udp.default.service.arpa. SOA IN>: all the configured stub or
>     forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
>      > Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL
>     <_1234._sub._matterc._udp.default.service.arpa. PTR IN>: all the
>     configured stub or forward servers failed, at zone . from 9.9.9.11
>     got SERVFAIL
>      > Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL
>     <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. SRV IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
>      > Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL
>     <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. TXT IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
>      > ```
>      >
>      > There are 1000s of these messages "SERVFAIL . . . service.arpa"
>     every week and 144,028 messages since Oct 2, 2024.  Best I can these
>     are all local DNS lookups and they are failing an external DNS
>     lookup for "service.arpa".
>      >
>      > This happens with unbound 1.21.0 and persists with unbound 1.22.0.
>      >
>      > And I believe this is related to this:
>      > https://datatracker.ietf.org/doc/html/draft-ietf-dnssd-
>     srp-25#section-10.1 <https://datatracker.ietf.org/doc/html/draft-
>     ietf-dnssd-srp-25#section-10.1>
>      >
>      >
>      > So my ask, to stop "service.arpa" from escaping my local network,
>     can "service.arpa" be added to the unbound code as a Special Use
>     Domain Name similar to "home.arpa"?
>      >
>      >
>      > Best regards,
>      > Jon
>      >
> 
> 
> /Ce message et toutes les pièces jointes (ci-après le "message") sont 
> établis à l’intention exclusive des destinataires désignés. Il contient 
> des informations confidentielles et pouvant être protégé par le secret 
> professionnel. Si vous recevez ce message par erreur, merci d'en avertir 
> immédiatement l'expéditeur et de détruire le message. Toute utilisation 
> de ce message non conforme à sa destination, toute diffusion ou toute 
> publication, totale ou partielle, est interdite, sauf autorisation 
> expresse de l'émetteur/

More information about the Unbound-users mailing list