servfail for stub-zones
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Mon Jun 30 10:14:25 UTC 2025
Hi Andreas,
On 30/06/2025 11:54, A. Schulze via Unbound-users wrote:
>
> Hello,
>
> an unbound instance have this configuration to answer an dnsbl with data
> from a local rbldnsd:
>
> server:
> domain-insecure: "zen.spamhaus.org."
> stub-zone:
> name: "zen.spamhaus.org."
> stub-addr: 192.0.2.1
> stub-addr: 192.0.2.2
>
> Also, I've "log-replies: yes"
You can also use log-servfail: yes to see why Unbound SERVFAILed the
request. I guess because it got out of options for the upstream servers;
at least that's what I expect from your description.
>
> I do expect logs with NOERROR or NXDOMAIN reply_codes. But I also see
> 0.01% SERVFAIL.
>
> That's what I do not understand. What could be a reason for unbound's
> answer "SERVFAIL"?
>
> The only reason I'm aware /could/ be the fact, that rbldnsd never answer
> via TCP.
> But as far as I know, I can't tell unbound "this stub servers are
> reachable via UDP only"
If that was possible you would still get SERVFAIL because no answer
could be received.
I mean Unbound tried over UDP and for some reason (TC bit?) had to
switch to TCP.
Best regards,
-- Yorgos
>
> Andreas
>
More information about the Unbound-users
mailing list