> bind-users have discussed same issue last year: discussion starts from this mail https://lists.isc.org/pipermail/bind-users/2014-December/094239.html
2015-09-14 21:15 GMT+09:00 Daisuke HIGASHI <daisuke.higa...@gmail.com>: > Hi, > > SERVFAIL on tweakers.net seems to be from fix on CVE-2014-8500. > This fix essentially limits number of query (to authoritative servers) > to resolve target qname. If a qname requires many query to resolve > it becomes SERVFAIL This situation often occurs when cache is empty > (e.g. just after starting unbound or cache flush) > > bind-users have discussed same issue last year: > https://lists.isc.org/pipermail/bind-users/2014-December/thread.html > > Possible workarounds are to increase MAX_TARGET_COUNT > (iterator/iterator.h) to relax number of query limitation but it may > reduce robustness against CVE-2014-8500-related attack. > > Regards, > -- > Daisuke HIIGASHI > > > 2015-09-11 18:39 GMT+09:00 Frank de Bot via Unbound-users > <unbound-users@unbound.net>: >> Hi, >> >> Under FreeBSD I'm setting up a resolv-only unbound server. While testing >> I've noticed some domain do not resolve (server returns SERVFAIL)