servfail for stub-zones

Hello,

an unbound instance have this configuration to answer an dnsbl with data from a local rbldnsd:

     server:
      domain-insecure: "zen.spamhaus.org."
     stub-zone:
      name: "zen.spamhaus.org."
      stub-addr: 192.0.2.1
      stub-addr: 192.0.2.2

Also, I've "log-replies: yes"

I do expect logs with NOERROR or NXDOMAIN reply_codes. But I also see 0.01% SERVFAIL.

That's what I do not understand. What could be a reason for unbound's answer "SERVFAIL"?

The only reason I'm aware /could/ be the fact, that rbldnsd never answer via TCP.
But as far as I know, I can't tell unbound "this stub servers are reachable via UDP only"

Andreas

Hi Andreas,

Hello,

an unbound instance have this configuration to answer an dnsbl with data from a local rbldnsd:

 server:
  domain\-insecure: "zen\.spamhaus\.org\."
 stub\-zone:
  name: "zen\.spamhaus\.org\."
  stub\-addr: 192\.0\.2\.1
  stub\-addr: 192\.0\.2\.2

Also, I've "log-replies: yes"

You can also use log-servfail: yes to see why Unbound SERVFAILed the request. I guess because it got out of options for the upstream servers; at least that's what I expect from your description.

I do expect logs with NOERROR or NXDOMAIN reply_codes. But I also see 0.01% SERVFAIL.

That's what I do not understand. What could be a reason for unbound's answer "SERVFAIL"?

The only reason I'm aware /could/ be the fact, that rbldnsd never answer via TCP.
But as far as I know, I can't tell unbound "this stub servers are reachable via UDP only"

If that was possible you would still get SERVFAIL because no answer could be received.
I mean Unbound tried over UDP and for some reason (TC bit?) had to switch to TCP.

Best regards,
-- Yorgos