>> "Pick another upstream" would be my suggestion, if that's at all >> feasible. Either that, or do your own recursive resolution, and >> don't rely on someone else bodging it for you :) > > No, again that is not my issue.
Sorry for at least initially not fully comprehending the situation... > All of the servers that dns.com operates are dropping queries for the > Ressource Record Type DS. That is an error. If a publishing name server receives a query for an RR type which doesn't exist at the given name, but other data (other RR types) exists on the queried-for name, the correct thing is to return an empty NOERROR response. If the queried-for name doesn't exist, but the publishing name server is authoritative for the zone where the name would reside, the correct response is a reply with an NXDOMAIN error code. If the publishing name server isn't authoritative for the queried-for name, and doesn't provide recursive service to you, a valid response would be an empty reply with the error code REFUSED. Note that in none of these cases is "failure to respond" a valid behaviour, perhaps modulo rate limiting. Failing to provide a response for "unusual" or "new" resource record queries (some might characterize DS records as "new", others would disagree, me among them...) is not adhering to the spec. The affected publishing name servers get what they deserve from your unbound recursor -- the error is not with unbound, but with the publishing name servers for dns.com. With a name such as dns.com, one would have expected that someone in the owning organization would know better than to use a DNS name server implementation which has such a basic protocol bug. Ref.: $ dig dns.com. ns +short m2.dns.com. m1.dns.com. $ dig @m1.dns.com. dns.com. ds +norec ; <<>> DiG 9.16.33 <<>> @m1.dns.com. dns.com. ds +norec ; (5 servers found) ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig @m2.dns.com. dns.com. ds +norec ; <<>> DiG 9.16.33 <<>> @m2.dns.com. dns.com. ds +norec ; (5 servers found) ;; global options: +cmd ;; connection timed out; no servers could be reached $ but $ dig @m2.dns.com. dns.com. ns +norec +short m1.dns.com. m2.dns.com. $ Regards, - HÃ¥vard
