When libunbound encounters a validation error it retries up to 5 times, going through all the authoritative servers. In general I find that a bit silly. Sure, it might help with certain operator errors when signing a zone, but in my experience the oopsie just spreads like wildfire via XFR to all auths anyway.
I think this will speed up detection that something is messing with DNSSEC when we change networks, but I haven't been able to test that. This would be a local diff we'd have to carry, I currently have a PR open with upstream to make this configurable: https://github.com/NLnetLabs/unbound/pull/486 I don't know if we need this right now, but since I figured out how this works I might as well share it. If you want this now please speak up, otherwise I'll wait for the PR to go in. diff --git sbin/unwind/libunbound/validator/validator.h sbin/unwind/libunbound/validator/validator.h index 35da1920aa3..96457c9bb80 100644 --- sbin/unwind/libunbound/validator/validator.h +++ sbin/unwind/libunbound/validator/validator.h @@ -65,7 +65,7 @@ struct config_strlist; #define BOGUS_KEY_TTL 60 /* seconds */ /** max number of query restarts, number of IPs to probe */ -#define VAL_MAX_RESTART_COUNT 5 +#define VAL_MAX_RESTART_COUNT 0 /** Root key sentinel is ta preamble */ #define SENTINEL_IS "root-key-sentinel-is-ta-" -- I'm not entirely sure you are real.
