[Unbound-users] support of 'server' statement

Rok Potočnik r at rula.net
Wed Jun 30 15:08:55 UTC 2010

On 25.6.2010 23:10, Olafur Gudmundsson wrote:
> Based on what was said here:
> http://brussels38.icann.org/bitcache/e758b09ba8002f798c8fad8f17601e9c8fe5f5ca?vid=13129&disposition=attachment&op=download
> We can expect godaddy to fix their servers soon thus you would not
> need this option :-)
> Olafur
> On 25/06/2010 10:24 AM, W.C.A. Wijngaards wrote:
>> Hash: SHA1
>> Hi Rok,
>> That feature would be blocked under creeping featurism and a desire to
>> keep unbound light and simple.
>> Also, dig @ns01.domaincontrol.com. www.godaddy.com +dnssec +norec works
>> fine, and configuration is not necessary.
>> Those servers do not include an EDNS OPT section in the answers, which
>> is not terribly important and unbound 'accepts lenient'.
>> Best regards,
>> Wouter
>> On 06/22/2010 11:18 AM, Rok Potočnik wrote:
>>> Will unbound ever support a 'server' statement as in bind's
>>> server {
>>> edns no;
>>> };
>>> It seems (probably all) NSxx.DOMAINCONTROL.COM servers (godaddy) don't
>>> respond to dnssec queries so I'd like to override my recursive servers
>>> never to ask with EDNS.

It seems the problem isn't at godaddy but rather somewhere in between, 
as bind list users said a couple of times, some of them get the reply using

dig +dnssec @ns33.domaincontrol.com. replacementservices.com.

The only workaround for now seems to be

         name: "replacementservices.com"

but doing this on our scale is quite a workout as the servers provide 
recursive replies for about 200k clients.

LP, Rok

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2261 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20100630/3597d1cd/attachment.bin>

More information about the Unbound-users mailing list