1.9.2rc1 and x-zone CNAME
Harry Schmalzbauer
list.unbound at omnilan.de
Tue Jun 11 10:19:22 UTC 2019
Am 11.06.2019 um 11:26 schrieb Tony Finch via Unbound-users:
> Wouter Wijngaards via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
>> The issue looks that you have the for-downstream: yes on both zones.
>> Unbound therefore uses that zone to answer downstream, and skipping to
>> another zone is not really what an authoritative server has to do as it
>> is outside of bailiwick in the answer.
> Does unbound set RA=0 on its replies in this case?
Hello,
thanks for explanation and the hint.
I guess that's the problem, which breaks real world setup. Answer
section contains RecursionAvailable flag.
So the client doesn't do any further lookup, hence the "dead" lookup.
It's out of my scope to suggest an fix.
But I can tell that even queries without RD are recursed and RA flagged
by other servers (MS, ISC) for x-auth-zone CNAME records.
And that seems to be what clients rely on...
And unfortunately limits the usage of unbound as frontend to a hidden
primary.
Ideas how this can be resolved?
Thanks,
-harry
More information about the Unbound-users
mailing list