-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane,
The problem is this: souissi.net. 86400 IN NS ns1.souissi.net. souissi.net. 86400 IN NS ns-slave.free.org. With IP addresses: ns1.souissi.net. 86400 IN A 91.121.163.99 ns1.souissi.net. 86400 IN AAAA 2001:41d0:1:e463:dead:beef:face:1 ns-slave.free.org. 28756 IN A 88.191.249.137 (no AAAA for it). For 91.121.163.99 and dead-beaf-face, I get a dnssec answer. But the free.org server gives a dnssec-less answer. The problem is that unbound does not expect DNSSEC for souissi.net because it has not checked the DLV yet, and thus accepts the free.org answer (1 out of 3 times it picks that IP address). Then it becomes bogus. This lasts one minute (bogus-ttl: 60), and then it tries again. After a couple of minutes of 1/3 fail and 2/3 success, it has the 24hour TTL for the valid answer. So once in a very long while you see that servfail. It is because of the misconfigured slave at free.org of course. But I am thinking how to make this easier on other people that aren't as smart as you are to figure this out. Or to make unbound smarter so it won't get into this trouble. I don't know. Best regards, Wouter On 09/04/2009 08:42 AM, Stephane Bortzmeyer wrote: > On Thu, Aug 27, 2009 at 11:08:31AM +0200, > W.C.A. Wijngaards <[email protected]> wrote > a message of 46 lines which said: > >> Can you give me more details? > ... >> Can you give the output of the query +cdflag (what was the >> data that failed?) > > OK, since the problem occured again this morning (SOA souissi.net > fails, SOA sources.org works), here is the full disclosure (do note > that SERVFAIL depends on the QTYPE, not only the QNAME): > > > % dig +dnssec MX souissi.net > > ; <<>> DiG 9.5.1-P3 <<>> +dnssec MX souissi.net > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64634 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;souissi.net. IN MX > > ;; ANSWER SECTION: > souissi.net. 86400 IN MX 10 mx1.souissi.net. > souissi.net. 86400 IN MX 20 mylar.selfns.net. > souissi.net. 86400 IN RRSIG MX 5 2 86400 20091001060200 > 20090901060200 8850 souissi.net. > he5nHZ9ZdSkmZAreeyZ3mqob1VP6wy/BCYGgeImDrwDRg9HaDyUdjDCt > rX0UGFMPtETtpULEKNVYTmVQd30r//l+TBLWbElNdsAq/qW4OIbmbgfT > vLTFeAJsfwlEQ3Ch2/NwmCQjdTd0DkMlva+hCtJ3MeQurjTamfuSWuku U5Y= > > ;; AUTHORITY SECTION: > souissi.net. 86400 IN NS ns-slave.free.org. > souissi.net. 86400 IN NS ns1.souissi.net. > souissi.net. 86400 IN RRSIG NS 5 2 86400 20091001060200 > 20090901060200 8850 souissi.net. > BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 > Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF > 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28= > > ;; ADDITIONAL SECTION: > mx1.souissi.net. 86400 IN A 91.121.163.99 > mx1.souissi.net. 86400 IN AAAA > 2001:41d0:1:e463:dead:beef:face:1 > ns1.souissi.net. 86400 IN A 91.121.163.99 > ns1.souissi.net. 86400 IN AAAA > 2001:41d0:1:e463:dead:beef:face:1 > mx1.souissi.net. 86400 IN RRSIG A 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > TVNYVYAhwSQasJaQT/DW3UdZ+7kn/w2HqUvw9mXa6c58F8RBqoKOgAGF > zO8ZR8i9Dc1I3qFXgXUojP3MTML+6ItHtK+ktKVCYJ/fHfXObauP68X8 > bFjE+bMKl71bcI07e206/Gfuqrw5CM46vhUL8sAKipad4G1MPh+cL+Yd wkw= > mx1.souissi.net. 86400 IN RRSIG AAAA 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > cUZvufe1UYszNAIS78GLrUZxa4N6XMA0YDJsXneCERw7McWyIOic21+7 > DGIkd8Cth4F/tz/C6QjjGlULLz+Z/t/nV/uH9HdCdXInb9V8m/K6tId4 > Nk04lp0MzhYjCQK7gvnZaTeXpfceLZNsIkqqPJiJeCGYx3nUcYMy3x0N czI= > ns1.souissi.net. 86400 IN RRSIG A 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ > BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 > YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4= > ns1.souissi.net. 86400 IN RRSIG AAAA 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM > kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu > DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0= > > ;; Query time: 8 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:39:31 2009 > ;; MSG SIZE rcvd: 1252 > > > > > % dig +dnssec SOA souissi.net > > ; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA souissi.net > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17478 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;souissi.net. IN SOA > > ;; Query time: 0 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:40:21 2009 > ;; MSG SIZE rcvd: 40 > > > % dig +dnssec SOA sources.org > > ; <<>> DiG 9.5.1-P3 <<>> +dnssec SOA sources.org > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22082 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;sources.org. IN SOA > > ;; ANSWER SECTION: > sources.org. 86400 IN SOA ns3.bortzmeyer.org. > hostmaster.bortzmeyer.org. 2009090100 7200 3600 604800 43200 > sources.org. 86400 IN RRSIG SOA 3 2 86400 20091102035202 > 20090901035202 14347 sources.org. > CIE1J9Im49PJBYPZQyV6Nrk/B0i0MZQi9SehcF7R+agqz9UJRzReLwI= > sources.org. 86400 IN RRSIG SOA 5 2 86400 20091102035202 > 20090901035202 22107 sources.org. > j2M7O6urcyXrj/WDhgdR1m9CbTOhEGLNtL5hYs7PHTghblln+yYclnQw > KQmdZAYKLm2XFsrYiYSHVAc3i6jAVMb4rDE30R1Ckk3OC7cTTYEslqei > RYzrpscfyt5cS6BRZz4feY1wEy3uJ1qaPSKZ8x0iUkVUXM63rGFxie4V > J6vwPGnp5ToeP6Ewkyp22Q71ckIGcPKUkmdZD7o2RX2BEoitJUmj2LAD > XY/mA4tbgTdm23WFmuW9zAY+2WiYjlCJKKf2TEb2XA0GnZYx0m9RSOuj > pu7aCWKZo+Rf1Z5favipVJ9Jt2IkOpSCTBjy8PDYOyT8XbnMCmRj2Lo1 cvezNg== > > ;; AUTHORITY SECTION: > sources.org. 86400 IN NS ns4.generic-nic.net. > sources.org. 86400 IN NS munzer.bortzmeyer.org. > sources.org. 86400 IN NS ns3.bortzmeyer.org. > sources.org. 86400 IN NS munzer.ipv6.bortzmeyer.org. > sources.org. 86400 IN NS ns6.gandi.net. > sources.org. 86400 IN RRSIG NS 3 2 86400 20091102035202 > 20090901035202 14347 sources.org. > CKHF2HzIBvqloe0oSj/CX+ZsESq3B35PMPwNJQP9YM8JpTRVToBQ5Cw= > sources.org. 86400 IN RRSIG NS 5 2 86400 20091102035202 > 20090901035202 22107 sources.org. > MWXlsrOpRA6V+dt4YYn/tlDtcJtKkgnv+ezi9OR2ZupgDvHVLE6yKy99 > Ze8oWrM8bIRH0C6PynqC/yYuVSVUzMxYiKvDFca6GIyhNd6IS9+AghfY > b2AYPb3wCv/sgATDUNnSQl4yQENXU6N4E2VIsucELFSBwiI1Q3fzDMK5 > uX+DMvJk9sAJ1JAGLvwlxpzsdKA3C32scYJBxiTJNqHY6K4cBompHTgi > L3oWnUh6/aECWBd39WUDgAvjgHiSIX1k4aw9XpUV8RoHidCvbwcufsTt > xzhF1C9pIO+eZCf0xWoHb16jMGfWmgVIdL/PkU3k5bcNmEGoYQSFeTZv cmsMFQ== > > ;; Query time: 6 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:41:09 2009 > ;; MSG SIZE rcvd: 986 > > > % dig +cd +dnssec SOA souissi.net > > ; <<>> DiG 9.5.1-P3 <<>> +cd +dnssec SOA souissi.net > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60400 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;souissi.net. IN SOA > > ;; ANSWER SECTION: > souissi.net. 86025 IN SOA ns1.souissi.net. > hostmaster.souissi.net. 2009090101 3600 900 3600000 900 > > ;; AUTHORITY SECTION: > souissi.net. 86291 IN NS ns-slave.free.org. > souissi.net. 86291 IN NS ns1.souissi.net. > souissi.net. 86291 IN RRSIG NS 5 2 86400 20091001060200 > 20090901060200 8850 souissi.net. > BbOxk5nOJfEYBFPTkLmfTtLKb4+L/Rj4lfaUPWJd/CQAiQn7GF5qMTR8 > Gr1bX1ncpVQM5tmsJu26mxlauiJAiTGqF0HXwuizsi6B4M+6ZJp/qlAF > 1hOZ/Q88/48UUTDnIRGLu4+WNQpSEnjZYS6LlaFYxXiDas8Ef+u3sMc7 S28= > > ;; ADDITIONAL SECTION: > ns1.souissi.net. 86000 IN A 91.121.163.99 > ns1.souissi.net. 86000 IN AAAA > 2001:41d0:1:e463:dead:beef:face:1 > ns1.souissi.net. 86000 IN RRSIG A 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > OG6LheSUBXSH/m8XW+jzWwo9eFBOA0ax5q0eWhKwFjYPrZdY4A+06Rz+ > BW2iguIStEx46+YfWSuUn6MzuDJ7lgljbRPgQ2DTDWdZOb1bEPq7XyK0 > YZ3j5J4DaBBvebZnGFDvTOLaFr/cGRumiXYf2dNlacQiBmnrrmtXAD3c kD4= > ns1.souissi.net. 86000 IN RRSIG AAAA 5 3 86400 20091001060200 > 20090901060200 8850 souissi.net. > WOxlR+RwhQv5GRm3VeDOf7WOHfeUkDXNEWKjFFKpJttQZQv2NYyH0oqM > kBW4+UUc0BMKK0MHwtEgRxwGyWjjGGFtYRvlswetOVT1UnuDF8B3nPlu > DtHQ7ZAR663EbpE/g+faAZVaLS91BorcYSA/ltk7eoF1mjCevKprWDm4 CJ0= > > ;; Query time: 0 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:41:20 2009 > ;; MSG SIZE rcvd: 693 > > > > % dig DNSKEY souissi.net > > ; <<>> DiG 9.5.1-P3 <<>> DNSKEY souissi.net > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50673 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;souissi.net. IN DNSKEY > > ;; ANSWER SECTION: > souissi.net. 85955 IN DNSKEY 257 3 5 > AwEAAbiXOW26EYYHFx/ydGzDW4+ixz5xoWF9ANdmZT6+3bMBlWskh2GZ > KPKhlgH0YAtpcNG4/9kH+e7yfEUiX15Tc3zMk+WYKllMiqGvKr6KSz+p > RQlUegflFJwDnBfXWlKqyoPXn2szhSGMBNcIrX2W5KucoMQUQesrjjtE > XGMPVVqEL5YkX3Qk4OxXWdou/9d/R3nVfQTyQadgOl8q5StAPgQsR+wJ > 6B0H5PyziiRAtjsnFJYH+yQiD1SFw5MuZBoVTtblrAY7wo4Boqh6IiCj > qvGk9/RNK6AcEbcs4tDvoCZxcRZFBCeHCnzgdlk5f8u6wN+Fs6bIVO76 > +wuOos+OPnCO1ndsaO5j5KPRC/ChWiKTZ9gy3Sia1hO/qSjOi/w16VW6 > ES/pQrv9QokTGTLuL6HatXkMWoyX6E+dj2rimKEnNmXKUK7otglLSoCW > +ca0+OAVrupRYWsn4UwO5UprnFMo2gLz69jKVx/gIh7hgSBLKJFO8omT > LLDVOKaOHzsVulfp/Qs8b8x8TqU4ncteyx1MPxJCUo6DiIFnnGkD7RSC > S7Bk7izWdMCzlpCWLekPMwihx9UW4hqwjQ6L6wFiiJulC4eZP+jODQ/8 > BC/Vr7Q+XyBhGh7K4kkbPOVk1hCJNglhxQ7Q/3hWGuZVrYUqOX7s2Zhl EPMLgQqafoX7rAyd > souissi.net. 85955 IN DNSKEY 256 3 5 > AwEAAcJcU4Ih5IkoLhNLC6mq902qVagsh8IEKyfqQE5/ngZkL0r+NAww > RiJdSO2muPkk0qQsD+duziDon7Mz1E/EBuetI8ZE/zdmowu9outSTfRN > lYvxNoQTSVZ0w8Ct3/qeNG1qpXr9nERqMz663tI9BKc866K5ajj0eI0v YXqkpptp > > ;; Query time: 1 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:42:05 2009 > ;; MSG SIZE rcvd: 720 > > > > % dig ANY souissi.net.dlv.isc.org > > ; <<>> DiG 9.5.1-P3 <<>> ANY souissi.net.dlv.isc.org > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50301 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 6, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;souissi.net.dlv.isc.org. IN ANY > > ;; ANSWER SECTION: > souissi.net.dlv.isc.org. 3600 IN NSEC stormrevel.net.dlv.isc.org. > RRSIG NSEC DLV > souissi.net.dlv.isc.org. 3600 IN RRSIG NSEC 5 5 3600 20091004051505 > 20090904051505 64263 dlv.isc.org. > R/6wE7ZXOJrSf2iIUidk4ZeZ8g5WOzZGUpl2cI/rWNHn2mAyR8AfSYFY > 29qtCEnfed923cVkdVFuJarZEB9IHtgD8S7UQBMloElfy51Q4RDl6IFJ > cH4Y/34InJ33w7/IuuOxtH8xQZTWEXeJTIpCeitddmo4X/B1GaH1x2Cz VaE= > souissi.net.dlv.isc.org. 3600 IN DLV 28198 5 1 > C6C7D20861D7E03915012AFAD74F20F17F212964 > souissi.net.dlv.isc.org. 3600 IN DLV 28198 5 2 > 3C54CCD5EE584519C4A5CF47BFAF359B0C06B4261965A265F8A28AF4 259B1184 > souissi.net.dlv.isc.org. 3600 IN RRSIG DLV 5 5 3600 20091004051505 > 20090904051505 64263 dlv.isc.org. > oNhnBAQRgMi5mggt7Rhhts+AZFdANZUcDx010KoHxw3txcNjOeB2EJoN > 9q+16FvkezefeiMlBwzx4IHs4q7D+XsvFmmmgtybYNRNHVR+Xw+GP2Ee > wTsJlzBF7ggmO8VF+Upn5XhdtHI2ggdZBNLkZHfd3XFnT8hCf/d6UGI4 wRI= > > ;; AUTHORITY SECTION: > dlv.isc.org. 3600 IN NS ns1.isc.ultradns.net. > dlv.isc.org. 3600 IN NS dlv.sfba.sns-pb.isc.org. > dlv.isc.org. 3600 IN NS dlv.ams.sns-pb.isc.org. > dlv.isc.org. 3600 IN NS dlv.ord.sns-pb.isc.org. > dlv.isc.org. 3600 IN NS ns.isc.afilias-nst.info. > dlv.isc.org. 3600 IN NS ns2.isc.ultradns.net. > > ;; Query time: 19 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Sep 4 08:42:24 2009 > ;; MSG SIZE rcvd: 692 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqgwGMACgkQkDLqNwOhpPiPJwCgrxqzQrTr55NWg7VFrxrak2yP NAAAn02iZWWKk4H84MZyipBZORLNMQOY =Zp90 -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
