On 2022-04-27, Renaud Allard <ren...@allard.it> wrote: > This is a cryptographically signed message in MIME format. > > --------------ms080604030904040206090102 > Content-Type: text/plain; charset=UTF-8; format=flowed > Content-Transfer-Encoding: 8bit > > > > On 4/26/22 16:25, Renaud Allard wrote: >> >> Hello, >> >> Since I upgraded my DNS servers to 7.1 with unbound 1.15.0, I have a lot >> of issues with DNS resolution (without changing anything in the config). >> I randomly get SERVFAIL (or somethings NXDOMAIN) for a lot of names, or >> something even stranger like some addresses and SERVFAIL for others (see >> dashlane example). >> >> Examples: >> host dashlane.com >> dashlane.com has address 65.9.82.43 >> dashlane.com has address 65.9.82.13 >> dashlane.com has address 65.9.82.36 >> dashlane.com has address 65.9.82.97 >> Host dashlane.com not found: 2(SERVFAIL) >> Host dashlane.com not found: 2(SERVFAIL) >> >> >> host forum.opnsense.org >> Host forum.opnsense.org not found: 2(SERVFAIL) >> > >> use-caps-for-id: yes > > After removing the use-caps-for-id, it seems the resolver works fine. I > opened the following bug report > https://github.com/NLnetLabs/unbound/issues/670
I'm not aware of intentional changes in use-caps-for-id between the versions of Unbound in 7.0 and 7.1, it might be worth trying the old version again to rule out a coincidental change on the authoritative servers for those domains, it can happen. (there is some fallback in unbound for hosts which don't handle this, but I think it might not cope if there's differing behaviour between multiple hosts load-balanced behind a single backend IP). Maybe consider packet captures to the auth servers for some domains you've seen problems? You aren't on an ISP which might be intercepting some DNS requests are you?