servfail for stub-zones

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Mon Jun 30 10:14:25 UTC 2025


Hi Andreas,

On 30/06/2025 11:54, A. Schulze via Unbound-users wrote:
> 
> Hello,
> 
> an unbound instance have this configuration to answer an dnsbl with data 
> from a local rbldnsd:
> 
>      server:
>       domain-insecure: "zen.spamhaus.org."
>      stub-zone:
>       name: "zen.spamhaus.org."
>       stub-addr: 192.0.2.1
>       stub-addr: 192.0.2.2
> 
> Also, I've "log-replies: yes"
You can also use log-servfail: yes to see why Unbound SERVFAILed the 
request. I guess because it got out of options for the upstream servers; 
at least that's what I expect from your description.

> 
> I do expect logs with NOERROR or NXDOMAIN reply_codes. But I also see 
> 0.01% SERVFAIL.
> 
> That's what I do not understand. What could be a reason for unbound's 
> answer "SERVFAIL"?
> 
> The only reason I'm aware /could/ be the fact, that rbldnsd never answer 
> via TCP.
> But as far as I know, I can't tell unbound "this stub servers are 
> reachable via UDP only"
If that was possible you would still get SERVFAIL because no answer 
could be received.
I mean Unbound tried over UDP and for some reason (TC bit?) had to 
switch to TCP.

Best regards,
-- Yorgos
> 
> Andreas
> 


More information about the Unbound-users mailing list