[Unbound-users] Broken DNS or broken Unbound?
drc at virtualized.org
Sat Dec 17 18:27:17 UTC 2011
On Dec 17, 2011, at 2:20 AM, Mike Cardwell wrote:
> On 17/12/11 00:04, Anand Buddhdev wrote:
>>> Is matt.io's DNS configuration broken, or is Unbound broken?
>> The DNS setup of matt.io is broken. They've made the well-known
>> mistake of mixing a CNAME record with other records:
Unfortunately, this scenario (CNAME and other data, particularly at the zone apex) is increasingly common as a result of web hosting scenarios despite the restrictions in the DNS specs. There was at least on attempt to standardize behavior (http://tools.ietf.org/html/draft-sury-dnsext-cname-at-apex-00), but I gather it withered on the vine.
> Ah, I see. I'll contact him and let him know. Can anyone explain why
> these two results differ for me?
> mike at server:~$ dig +short ns matt.io
> mike at server:~$ dig +short +cd ns matt.io
> mike at server:~$
> I understand that his zone is broken, but why does that make Unbound
> return a different response depending on whether or not DNSSEC is
> enabled? He might have noticed this problem earlier if Unbound refused
> to return an address even with DNSSEC disabled...
Since CNAME and other data is explicitly disallowed in RFC 1035, any behavior, up to and including packets exploding in an Earth-Shattering Kaboom, should't be surprising. I'd agree that the inconsistency between DNSSEC/non-DNSSEC is unexpected, but you know what they say about the Spanish Inquisition...
More information about the Unbound-users