Re: Unbound + single localhost nsd starts return SERVFAIL for local names after several minutes of normal work

[Dmitri Stepanov via Unbound-users]

I have two large enough (150-200 hosts) segments of internal network, 
10.XXX.0.0 and 10.YYY.0.0. They are linked through Internet, speed is not like 
local but high enough - about 50Mb/s. I used two authoritative bind servers and 
three (two in one segment, one in the second) recursive also bind ones. For 
making bind, unbound and nsd configuration and zone files I'm using hostdb 
package, so all authoritative and recursive servers are generated and 
distributed to at once by the hostdb.
Now I like to reconstruct dns. I've created in place of my three recursive 
servers three combined ones with unbound and nsd which local only listen on 
separate port.
This works fine first several minutes after reload unbound, and then for local 
names - SERVFAIL all the configured stub or forward servers failed, at zone 
abc.local. At the same time, Internet names continue to be resolved normally.
Unbound:
server:
        interface: 0.0.0.0
        do-not-query-localhost: no
 
stub-zone:
        name: "abc.local"
        stub-addr: 127.0.0.1@5678
 
stub-zone:
        name: "10.in-addr.arpa."
        stub-addr: 127.0.0.1@5678
 
forward-zone:
        name: "."
        forward-addr: 8.8.8.8
 
I'm not sure which is the source of this problem - unbound or nsd. Nsd has no 
such diagnostic, but dig -p 5678 @127.0.0.1 localname.abc.local works fine.
 
It is difficult to catch the moment when it starts to SERVFAIL.
Looks like some resources are running out.
 
I've returned two separated authoritative servers, so now it is like:
stub-zone:
        name: "abc.local"
        stub-addr: 127.0.0.1@5678
        stub-addr: ipofauthserver1
        stub-addr: ipofauthserver2
 
Despite that there are not many hosts within the network, there are about 
10,000 names in local DNS zones.
 
All my dns servers are OpenBSD 6.5-7.0 64 bit virtual machines which are 
running in several free ESXi 5.5 and 7.3 servers.
Unbound 1.8.1 — 1.13.2
 
Does anybody bump in the same situation when unbound after several minutes of 
normal work stops resolve local names with SERVFAIL if it has only one local 
nsd source of local names?
I think such configuration with unbound + nsd on one host is reasonable for 
home users for example.
 
Regards
Dmitri Stepanov