SERVFAIL for Unbound v1.18

alex_capturemedia · December 19, 2023, 12:11pm

Since the upgrade to unbound v1.18, we have encountered numerous SERVFAIL errors when attempting to issue a new certificate without a CAA entry. I tested the process with unbound v1.19, and it functions flawlessly there.

There is also a bug related to this issue on GitHub for v1.18:

github.com/NLnetLabs/unbound

SERVFAIL while running unbound 1.18 on FreeBSD with setfib and set private-address

opened 09:16AM - 18 Oct 23 UTC

hshh

**Describe the bug** While running unbound 1.18 on FreeBSD with setfib and set …private-address, it returned SERVFAIL. The error log is "exceeded the maximum number of sends". Unbound 1.18 run without setfib works correctly. Unbound 1.17.1 with the same configuration file works correctly. **To reproduce** Steps to reproduce the behavior: 1. set unbound.conf with private-address: ::/0 2. run unbound with setfib 1 /usr/local/sbin/unbound -c unbound.conf **System:** - Unbound version: 1.18 - OS: FreeBSD 13.2-RELEASE - `unbound -V` output: ``` Version 1.18.0 Configure line: --with-libexpat=/usr/local --with-ssl=/usr --disable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd13.2 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1t-freebsd 7 Feb 2023 Linked modules: dns64 dynlib respip validator iterator ``` **Additional information** Add any other information that you may have gathered about the issue here.

Although adding a CAA entry resolved the problem, it requires informing all our clients to add a CAA entry to ensure the certificate can be renewed.

It might be advisable to revert to v1.16 or upgrade to v1.19.

Osiris · December 19, 2023, 12:22pm

Do you mean you're running Unbound as a DNS server for your domain(s) or do you mean the upgrade on Let's Encrypts side with the Unbound resolver library?

Because if I look at the linked error above, I think it's not applicable to the Unbound resolver upgrade used by Let's Encrypt.

However, in Unbound 1.18.0 there has been a fix with regard to some non-conforming DNS servers. See the following thread for more information:

alex_capturemedia · December 19, 2023, 12:37pm

No, I don't use unbound. I conducted some tests to determine whether our DNS Provider has an issue or if the problem is related to Let's Encrypt unbound. As mentioned earlier, the issue only arises with v1.18. The same tests work correctly on v1.16.0, v1.17.1, and v1.19.0. Only v1.18.0 presents problems.

The test can be reproduced using the following commands:

docker run --rm --name unbound klutchell/unbound:1.18.0
docker exec unbound dig @127.0.0.1 <domain> CAA

Replace <domain> with a domain experiencing the issue.

Osiris · December 19, 2023, 12:58pm

Well, I'm no C expert and also not a DNS RFC expert, but it seems the fix in 1.18.0 mentioned in the earlier thread I linked was altered in 1.19.0:

Fix in 1.18.0:

Another fix (?) within the same code in 1.19.0:

Not sure what's going on there though. Something has changed and I assume for the better? Perhaps sounds like the second change has reverted the Unbound stricter compatibility with the DNS specs with regard to the SOA RR that has to come with the NOERROR reply.

@jcjones Do you perhaps have an opinion with regard to this issue? (As you seem to be involved in the upgrade to 1.18.0 earlier.)

jcjones · December 19, 2023, 3:23pm

I'm planning an upgrade to Unbound 1.19 as soon as we come back in the new year; I've got the changeset already worked up. Hopefully 1.18 -> 1.19 will be smoother than 1.16.x -> 1.18.

webprofusion · December 20, 2023, 2:31am

@alex_capturemedia just so the support community can correlate likely affected providers, who is your DNS provider? There is a known issue with hover.com, which may be using servers based on a version of PowerDNS.

alex_capturemedia · December 21, 2023, 8:57am

@webprofusion Our infrastructure uses DNSimple.

orangepizza · December 21, 2023, 9:01am

did new LE side update fixed the problem?

system · January 20, 2024, 9:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.