CNAME, DNSSEC & qname minimisation
Ralph Dolmans
ralph at nlnetlabs.nl
Fri Aug 17 12:54:05 UTC 2018
Hi Alex,
As mentioned in the bugzilla ticket wrt this issue
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4147): I just
committed a fix that should resolve this bug.
Thanks again for reporting!,
-- Ralph
On 13-08-18 17:58, Alexandre Wicquart via Unbound-users wrote:
> Hello,
>
>
> I have an issue with cname since this patch :
> https://github.com/NLnetLabs/unbound/commit/2be0263dfa72f314c4cb61599f1ec7e90784da9c
>
>
> I'm using unbound 1.7.3 with *qname-minimisation: yes *and the problem
> only occurs if i ask for a CNAME on a domain having DNSSEC activated.
> Most of the time i get a SERVFAIL.
>
> --- Example ---
>
> ~ # dig cname pcs-cname.eyof.ovh
>
> ; <<>> DiG 9.10.3-P4-Debian <<>> cname pcs-cname.eyof.ovh
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28362
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;pcs-cname.eyof.ovh. IN CNAME
>
> ;; Query time: 770 msec
> ;; SERVER: 213.186.33.99#53(213.186.33.99)
> ;; WHEN: Mon Aug 13 17:50:32 CEST 2018
> ;; MSG SIZE rcvd: 47
> ---
>
> it works only if
> - domain has NOT DNSEC activated.
>
> - you ask for A instead of CNAME.
>
>
> I finally recompiled a version of unbound 1.7.3 without this patch and i
> have no more problem.
>
>
> Are you aware of this issue ? is there an other way to correct this
> problem ? Thanks.
>
>
> Best Regards
>
> --
>
> Alex
>
More information about the Unbound-users
mailing list