> I know that. But that is not my issue, in fact it is completely > unrelated to DNSSEC.
Ah. > It is just being triggered by querying DS records for certain domains > via our unbound. > > The upstream nameservers will drop DS queries on the network layer and > not respond at all. > > Our customer for some reason is sending DS queries to our unbound(s) > for these domains. > > Unbound then tries to query the servers and gets no response. > > As a result it marks them all as unresponsive and then will not > resolve any other records hosted on these nameservers, as they are > internally marked as down, responding with a SERVFAIL until the timer > is expired to re-query these servers. I'm assuming your upstream name servers are providing recursive service to you. If that's the case, to me it then sounds like the upstream name servers do not implement DNSSEC; refusing to look up "unusual" / "new" record types is a violation of the standard, I would think -- perhaps even irrespective of whether they implement DNSSEC or not. "Pick another upstream" would be my suggestion, if that's at all feasible. Either that, or do your own recursive resolution, and don't rely on someone else bodging it for you :) Regards, - HÃ¥vard
