<div dir="ltr">Ok, that sounds great. Thank you!<div><br></div><div>/Håkan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 12, 2018 at 4:36 PM, Ralph Dolmans via Unbound-users <span dir="ltr"><<a href="mailto:unbound-users@unbound.net" target="_blank">unbound-users@unbound.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Hakan,<br>
<br>
This is indeed related to the CNAME classification change in 1.7.1.<br>
After that change responses for the minimised queries can be treated as<br>
CNAME responses. Unbound has a limit in number of CNAMEs to follow to<br>
prevent loops, that limit is 8. Because the nameserver here gives CNAMEs<br>
for for some of the minimsed CNAME targets, the number of received<br>
CNAMEs passes the maximum and Unbound stops resolving.<br>
<br>
I committed a fix that only counts CNAME for the full name, not for the<br>
partial/minimised queries.<br>
<br>
-- Ralph<br>
<span class=""><br>
On 11-06-18 23:31, Håkan Lindqvist via Unbound-users wrote:<br>
> Hi,<br>
> <br>
> I ran into and issue where it appears that Unbound 1.7.1 fails to<br>
> resolve some Akamai CDN names if qname-minimisation is enabled<br>
> (consistently responds with SERVFAIL).<br>
> 1.7.0 did not exhibit the same behavior with identical configuration.<br>
> <br>
</span><span class="">> A couple of example names: <a href="http://cdn.samsung.com" rel="noreferrer" target="_blank">cdn.samsung.com</a><br>
> <<a href="http://cdn.samsung.com" rel="noreferrer" target="_blank">http://cdn.samsung.com</a>>, <a href="http://storeedgefd.dsx.mp.microsoft.com" rel="noreferrer" target="_blank">stor<wbr>eedgefd.dsx.mp.microsoft.com</a><br>
> <<a href="http://storeedgefd.dsx.mp.microsoft.com" rel="noreferrer" target="_blank">http://storeedgefd.dsx.mp.<wbr>microsoft.com</a>> (eg "dig<br>
</span>> @unbound <a href="http://cdn.samsung.com" rel="noreferrer" target="_blank">cdn.samsung.com</a> <<a href="http://cdn.samsung.com" rel="noreferrer" target="_blank">http://cdn.samsung.com</a>>")<br>
<div class="HOEnZb"><div class="h5">> <br>
> With verbosity turned up, the log includes:<br>
> debug: request has exceeded the maximum number of query restarts with 9<br>
> debug: return error response SERVFAIL<br>
> <br>
> It appears Unbound intentionally aborts, and the limits don't appear to<br>
> have changed since 1.7.0, but maybe the accounting has changed?<br>
> (I'm not sure if the "Fix cname classification with qname minimisation<br>
> enabled." change could be related?)<br>
> <br>
> I also ran across one other mention of what I believe is the same issue<br>
> at: <a href="https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1608638.html" rel="noreferrer" target="_blank">https://www.mail-archive.<wbr>com/debian-bugs-dist@lists.<wbr>debian.org/msg1608638.html</a><br>
> <br>
> <br>
> Is this a straight up bug or is there some settings (other than<br>
> disabling qname-minimisation) that I just fail to find that can counter<br>
> this new behavior?<br>
> <br>
> I find it a bit concerning since there's some very high profile<br>
> sites/services using the affected Akamai CDN (with their rather<br>
> enthusiastic CNAME usage) and that 1.7.2 apparently enables<br>
> qname-minisation by default.<br>
> <br>
> <br>
> /Håkan<br>
</div></div></blockquote></div><br></div>