Hi Scott, The neg-cache-size does not do what you want, it caches DNSSEC information, for DS lookups. So changing it won't fix your problem.
Did you try to dig +cdflag ? Does the servfail disappear? If so, you have a DNSSEC problem. Set val-log-level: 2 in your unbound.conf and it'll printout a validator error. You have forward statements, but really, to contact authority servers you should use stub statements. An improvement, unlikely the bug. Do you need domain-insecure for the internal zones? You have it for the reverse zone but not your own? If not, such servfails are only cached very briefly. Wait a couple seconds, set verbosity to 4 on unbound, and dig at it. Those logs then tell you what unbound is seeing, including wire 'dig like' output of what it gets from your authority servers. Best regards, Wouter On 07/04/16 04:53, John (Scott) Crooks via Unbound-users wrote: > I don't have it explicitly defined, so it's the default at > `neg-cache-size: 1m`. You recommend to set it to `0` and not cache any > of the failed queries? > > On Wed, Apr 6, 2016 at 2:00 PM, Eduardo Schoedler <[email protected] > <mailto:[email protected]>> wrote: > > negative-cache perhaps? > > -- > Eduardo Schoedler > > 2016-04-06 16:31 GMT-03:00 John (Scott) Crooks via Unbound-users > <[email protected] <mailto:[email protected]>>: > > Greetings, > > > > I'm using Unbound as a recursing DNS server in our company office > > infrastructure. Here is the link to my `unbound.conf` file: > > https://gist.github.com/sc250024/5874948dceac674df53579c2a13d051d > > > > The `forward-zone` entries point to two PowerDNS servers that are > > authoritative for those domains listed in the configuration. Both > PowerDNS > > servers are using a typical MySQL backend, and they are in a > Master-Slave > > configuration. > > > > I notice that when I add new records to the authoritative servers, > Unbound > > does not successfully resolve these records UNTIL I restart the > Unbound > > daemon. In other words: > > > > `dig @10.0.32.6 <http://10.0.32.6> somenewrecord.infra.company.com > <http://somenewrecord.infra.company.com>` <<-- Works since I'm > > querying the authoritative server directly > > `dig somenewrecord.infra.company.com > <http://somenewrecord.infra.company.com>` <<-- Returns a SERVFAIL > until I > > restart the Unbound daemon > > > > Is this typical behavior? What am I doing wrong? > > > > -- > > Scott Crooks > > > > > -- > > Scott Crooks |DevOps Engineer > > 971.266.9761 <tel:971.266.9761>| > > [email protected] <mailto:[email protected]> > > vacasa.com <http://vacasa.com/> > > Vacation rentals made easy® >
signature.asc
Description: OpenPGP digital signature
