[Unbound-users] Broken DNS or broken Unbound?

Mike Cardwell unbound at lists.grepular.com
Sat Dec 17 10:20:38 UTC 2011

On 17/12/11 00:04, Anand Buddhdev wrote:

>> Can anyone explain what is going on with the domain matt.io? I'm
>> running Unbound 1.4.9 and have it set up to do DNSSEC validation.
>> "dig matt.io" SERVFAIL's, however "dig +cd matt.io" works fine.
>> This domain doesn't have DNSSEC on it though... I also noticed that
>> when I attempt to look up the NS records, all it returns is a
>> CNAME. Is that valid?
>> Is matt.io's DNS configuration broken, or is Unbound broken?
> The DNS setup of matt.io is broken. They've made the well-known
> mistake of mixing a CNAME record with other records:

Ah, I see. I'll contact him and let him know. Can anyone explain why
these two results differ for me?

mike at server:~$ dig +short ns matt.io
mike at server:~$ dig +short +cd ns matt.io
mike at server:~$

I understand that his zone is broken, but why does that make Unbound
return a different response depending on whether or not DNSSEC is
enabled? He might have noticed this problem earlier if Unbound refused
to return an address even with DNSSEC disabled...

Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20111217/60dfc426/attachment.bin>

More information about the Unbound-users mailing list