On Fri, Sep 06, 2024 at 12:55:20PM -0400, Bob Harold wrote: ! Recently (2024/9/21) I ran into an issue that might be similar. Due to ! DDoS attacks that use complicated lookups to make DNS servers do extra ! work, to slow them down, some recent DNS server software has tightened the ! amount of 'work' that it will do on a single query before giving up and ! returning SERVFAIL. In my case I had spread out my NS records over several ! domains, and each of those domains depended on yet more domains. This was ! designed to increase resilience by not depending on a single domain. But ! we began to get random failures, in our case when trying to get an SSL ! Certificate, LetEncrypt using Unbound was verifying every NS record and ! sometimes gave up, with an error message "exceeded the maximum nameserver ! nxdomains" even though there were no 'nxdomains' in the log. I simplified ! my NS records and the problem went away.
Thank You, I am on this track now, also. I found that in two cases there were precisely 31 resolver queries before the SERVFAIL, and I wondered why this would be the same number. Then I found in the release notes something about limiting query count to 32. If this is indeed the issue, then we need an error message that actually tells us what the problem is. I am currently analyzing issues that appeared /after/ upgrade to 9.18 and /before/ 9.18.29 - and these are a lot rarer, and most look like genuine weirdness/outages/maintenance. cheerio, PMc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
