1.9.2rc1 and x-zone CNAME
Harry Schmalzbauer
list.unbound at omnilan.de
Sun Jun 9 09:44:49 UTC 2019
Hello,
thank you very much for all the hard work improving unbound.
I tested various failover fixes briefly. But I have another show
stopper for my usecase:
You have two auth-zone:, sample1.test and sample2.test (or
sub.sample1.test or sample1.invalid, doesn't matter)
If your master has a CNAME RR, referencing a different zone with the
same SOA, there's a "deadlock" with unbound; the CNAME will never get
resolved, but only returning the CNAME.
How to repeat:
Create RR www.sample1.test. IN CNAME www.sample2.test.
drill @hiddenprimary www.sample1.test
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16083
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.sample1.test. IN A
;; ANSWER SECTION:
www.sample1.test. 1800 IN CNAME www.sample2.test.
www.sample2.test. 36000 IN CNAME s1.sample2.test.
s1.sample2.test. 36000 IN A 192.0.2.254
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
Now check that unbound correctly loaded the zones from the hidden
primary and repeat the query against unbound instead of the hidden
primary and the CNAME will never get resolved:
drill @localhost www.sample1.test
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 51266
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.sample1.test. IN A
;; ANSWER SECTION:
www.sample1.test. 1800 IN CNAME www.sample2.test.
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
I tried with transparent zones but never got x-zone CNAME records to
work with unbound.
While here, why are answers for zones coming from local-zone: (SOA) not
aa flagged?
Thanks,
-harry
More information about the Unbound-users
mailing list