Dear Ralph,
On 15/11/18 11:13 +0100, Ralph Dolmans via Unbound-users wrote:
Sorry to hear Unbound has caused you problems. I'm trying to figure out
the reason of the observed SERVFAIL responses.
Thank you.
Was the serve-expired and cache-min-ttl configured on the Unbound
instance that has the forward configured, or the instance the queries
are forwarded to? Or both?
Both.
Any change the SERVFAILS were only for DNSSEC signed domains?
No, a particular name in our domain which is not signed often came
back with SERVFAIL after it expired from the cache.
Did you had a change to see the reason for the SERVFAIL responses in
the Unbound log? Maybe the forwarder was returning expired DNSSEC
signatures?
There were many SERVFAIL responses for queries for DS records.
-- Ralph
On 25-10-18 09:10, Nick Urbanik via Unbound-users wrote:
Dear Folks,
Thank you for an excellent piece of software.
I am puzzled by the behaviour of our multi-level DNS system which
answered many queries for names having shorter TTLs with SERVFAIL.
By multilevel, I mean clients talk to one server, which forwards to
another, and for some clients, there is a third level of caching.
So it was unwise to add:
serve-expired: "yes"
cache-min-ttl: 30
to the server section of these DNS servers running unbound 1.6.8 on
up to date RHEL 7? Please could anyone cast some light on why this
was so? I will be spending some time examining the cause.
If you need more information, please let me know.
--
Nick Urbanik http://nicku.org [email protected]
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
