Hi, SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. This fix essentially limits number of query (to authoritative servers) to resolve target qname. If a qname requires many query to resolve it becomes SERVFAIL This situation often occurs when cache is empty (e.g. just after starting unbound or cache flush)
bind-users have discussed same issue last year: https://lists.isc.org/pipermail/bind-users/2014-December/thread.html Possible workarounds are to increase MAX_TARGET_COUNT (iterator/iterator.h) to relax number of query limitation but it may reduce robustness against CVE-2014-8500-related attack. Regards, -- Daisuke HIIGASHI 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users <[email protected]>: > Hi, > > Under FreeBSD I'm setting up a resolv-only unbound server. While testing > I've noticed some domain do not resolve (server returns SERVFAIL)
