tech@,

I'd like to offer a change in unbound default settings that prevents Unbound
from penalty an upstream server for up to 24h.

Here a long discussion about such behaviour [1] and here the comment [2]
where one of Unbound developer explains that behaviour.

Suggested changes switched off that "feature", and enforced Unbound to try
to reach an upstream server for each request, that seems like an expected
behaviour for DNS resolver.

Footnotes:
[1]  https://github.com/NLnetLabs/unbound/issues/362

[2]  https://github.com/NLnetLabs/unbound/issues/362#issuecomment-2079235443

diff --git etc/unbound.conf etc/unbound.conf
index b33c099d70f..c406d683d33 100644
--- etc/unbound.conf
+++ etc/unbound.conf
@@ -29,6 +29,19 @@ server:
 	#
 	aggressive-nsec: yes
 
+	# Unbound penalizes the upstream server for up to 24 hours if it is
+	# not responding particularly well. When it happens, Unbound returns
+	# SERVFAIL for every request to that upstream server.
+	# Here we disable this feature and set the timeout between
+	# attempts to reach the upstream server between 2 and 15 seconds,
+	# but make no more than 16 attempts to reach the upstream server
+	# before returning SERVFAIL.
+	# See: https://github.com/NLnetLabs/unbound/issues/362
+	infra-keep-probing: yes
+	outbound-msg-retry: 16
+	infra-cache-min-rtt: 2000
+	infra-cache-max-rtt: 15000
+
 	# Serve zones authoritatively from Unbound to resolver clients.
 	# Not for external service.
 	#


-- 
wbr, Kirill