Am 2023-02-27 14:00, schrieb Havard Eidnes:
I am new to unbound and this list, but was unable to find a solution
for my problem in the documentation and by searching.
My issue is a set of authoritative nameservers that host a domain a
customer tries to resolve.
Everything works fine, until we try to resolve a DS record within that
zone. All queries for DS are being ignored by the authoritatives of
that domain and just get dropped without any answer. Thus unbound
marks all of the servers unresponsive and will refuse to resolve
anything within that zone, although queries for other record types are
happily answered by the servers.
I suspect you are falling victim to one of the more odd and
perhaps unexpected quirks of DNSSEC.
The DS records for a given name are in fact not authoritative in
the zone named by the owner name of the DS record, but are
instead authoritative in the parent (delegating) zone(!)
I know that. But that is not my issue, in fact it is completely
unrelated to DNSSEC.
It is just being triggered by querying DS records for certain domains
via our unbound.
The upstream nameservers will drop DS queries on the network layer and
not respond at all.
Our customer for some reason is sending DS queries to our unbound(s) for
these domains.
Unbound then tries to query the servers and gets no response.
As a result it marks them all as unresponsive and then will not resolve
any other records hosted on these nameservers, as they are internally
marked as down, responding with a SERVFAIL until the timer is expired to
re-query these servers.
Florian
