CNAME, DNSSEC & qname minimisation
Alexandre Wicquart
alexandre.wicquart at corp.ovh.com
Mon Aug 13 15:58:26 UTC 2018
Hello,
I have an issue with cname since this patch : https://github.com/NLnetLabs/unbound/commit/2be0263dfa72f314c4cb61599f1ec7e90784da9c
I'm using unbound 1.7.3 with qname-minimisation: yes and the problem only occurs if i ask for a CNAME on a domain having DNSSEC activated. Most of the time i get a SERVFAIL.
--- Example ---
~ # dig cname pcs-cname.eyof.ovh
; <<>> DiG 9.10.3-P4-Debian <<>> cname pcs-cname.eyof.ovh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28362
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pcs-cname.eyof.ovh. IN CNAME
;; Query time: 770 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Mon Aug 13 17:50:32 CEST 2018
;; MSG SIZE rcvd: 47
---
it works only if
- domain has NOT DNSEC activated.
- you ask for A instead of CNAME.
I finally recompiled a version of unbound 1.7.3 without this patch and i have no more problem.
Are you aware of this issue ? is there an other way to correct this problem ? Thanks.
Best Regards
--
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180813/0e786e24/attachment.htm>
More information about the Unbound-users
mailing list