I have an unbound server using Quad9 as an upstream DNS provider. I have been unable to resolve records from slack.com recently using my local unbound.
On the server: ``` # dig @::1 slack.com ; <<>> dig 9.10.8-P1 <<>> @::1 slack.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e 3a 20 73 69 67 6e 61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("validation failure <slack.com. A IN>: signature expired from 2620:fe::fe") ;; QUESTION SECTION: ;slack.com. IN A ;; Query time: 26 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Mar 18 18:02:25 PDT 2024 ;; MSG SIZE rcvd: 116 ``` But when I try to query Quad9 directly, it works: ``` # dig @2620:fe::fe slack.com ; <<>> dig 9.10.8-P1 <<>> slack.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;slack.com. IN A ;; ANSWER SECTION: slack.com. 10 IN A 35.81.85.251 slack.com. 10 IN A 44.234.235.93 slack.com. 10 IN A 54.70.179.16 slack.com. 10 IN A 44.237.180.172 slack.com. 10 IN A 52.89.90.67 slack.com. 10 IN A 54.245.50.245 slack.com. 10 IN A 54.188.33.22 slack.com. 10 IN A 54.71.95.193 slack.com. 10 IN A 35.82.91.193 ;; Query time: 2 msec ;; SERVER: 2620:fe::fe#53(2620:fe::fe) ;; WHEN: Mon Mar 18 18:05:05 PDT 2024 ;; MSG SIZE rcvd: 182 ``` I've tried - `unbound-control reload` - `unbound-control flush slack.com` - `unbound-anchor` ... and there's no change. All other domains I've tried work. I am using one of StevenBlack's block lists and I changed that recently (from one list to another one), if that's relevant. I tried removing the block list entirely and saw no change. Here's my unbound.conf: ``` server: interface: ::1 interface: xxxx:xxxx:xxxx:xxxx::xxxx do-ip6: yes ede: yes do-nat64: yes access-control: ::0/0 refuse access-control: ::1 allow access-control: xxxx:xxxx:xxxx:xxxx::xxxx allow access-control: 192.168.1.0/32 allow access-control: xxxx:xxxx:xxxx:5700::/64 allow access-control: xxxx:xxxx:xxxx:5702::/64 allow do-not-query-localhost: no hide-identity: yes hide-version: yes auto-trust-anchor-file: "/var/unbound/db/root.key" val-log-level: 2 aggressive-nsec: yes private-address: ::1/128 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 module-config: "dns64 validator iterator" include: /etc/unwind.conf.deny remote-control: control-enable: yes control-interface: /var/run/unbound.sock forward-zone: name: "." forward-addr: 2620:fe::fe ``` This feels like a caching issue to me, but I don't know what to do to resolve it. Unbound logs show the same error from the failing dig command. Would appreciate any help.