Package: unbound Version: 1.9.0-2+deb10u1 Severity: important Sometimes unbound replies to a query for a forward-zone using a spurious cache entry, resulting in bogus NXDOMAIN responses that persist for cache-max-negative-ttl seconds (1 hour, by default), effectively disrupting name resolution for the zone.
Given this piece of configuration on 10.0.2.15: server: do-ip6: no interface: 127.0.0.1 #log-local-actions: yes log-queries: yes log-replies: yes log-servfail: yes log-tag-queryreply: yes #log-time-ascii: yes statistics-cumulative: yes statistics-interval: 3607 val-log-level: 2 verbosity: 4 logfile: /var/log/unbound.log domain-insecure: test.local remote-control: control-enable: yes control-interface: /run/unbound.ctl forward-zone: name: test.local forward-addr: 10.0.2.2 and the zone test.local defined on 10.0.2.2 like this: $TTL 3600 ; 1 hour @ SOA x.test.local. root.test.local. ( 1 ; serial 900 ; refresh (15 +minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum / negative ttl (1 hour) ) NS x.test.local. x A 10.0.2.2 y A 10.0.2.10 responses from a freshly started instance of unbound on 10.0.2.15 depend on query ordering: successful sequence: # service unbound restart # dig @127.0.0.1 A y.test.local. => 10.0.2.10 (correct) # dig @127.0.0.1 A nonexistent.local. => nxdomain (correct) # dig @127.0.0.1 A y.test.local. => 10.0.2.10 (correct) failing sequence: # service unbound restart # dig @127.0.0.1 A nonexistent.local. => nxdomain (correct) # dig @127.0.0.1 A y.test.local. => nxdomain (WRONG) At verbosity 4, the logfile contains this excerpt: [1580891316] unbound[1842:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0 ;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0 ;; QUESTION SECTION: y.test.local. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: loans. 86394 IN NSEC locker. NS DS RRSIG NSEC loans. 86394 IN RRSIG NSEC 8 1 86400 20200217170000 [...] . 86394 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY . 86394 IN RRSIG NSEC 8 0 86400 20200217170000 [...] . 3594 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020020401 1800 900 604800 86400 . 86394 IN RRSIG SOA 8 0 86400 20200217170000 [...] ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 1022 That entry looks like a response packet with rcode NXDOMAIN and Question "y.test.local. IN A". The network capture, however, shows that no such reply was ever received by unbound. In fact unbound sent no query for "y.test.local." or "test.local." to 10.0.2.2 or root nameservers. The closest match is the packet received from a root server with rcode NXDOMAIN and Question "local. IN A". Looks like the above "msg from cache" is spurious. Best regards, g.b. -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.19.0-6-686 (SMP w/1 CPU core) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages unbound depends on: ii adduser 3.118 ii dns-root-data 2019031302 ii libc6 2.28-10 ii libevent-2.1-6 2.1.8-stable-4 ii libfstrm0 0.4.0-1 ii libprotobuf-c1 1.3.1-1+b1 ii libpython3.7 3.7.3-2 ii libssl1.1 1.1.1d-0+deb10u2 ii libsystemd0 241-7~deb10u2 ii lsb-base 10.2019051400 ii openssl 1.1.1d-0+deb10u2 ii unbound-anchor 1.9.0-2+deb10u1 unbound recommends no packages. Versions of packages unbound suggests: pn apparmor <none> -- no debconf information