1.9.2rc1 and x-zone CNAME
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Jun 11 10:34:37 UTC 2019
Hi Harry,
On 6/11/19 12:19 PM, Harry Schmalzbauer wrote:
> Am 11.06.2019 um 11:26 schrieb Tony Finch via Unbound-users:
>> Wouter Wijngaards via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
>>> The issue looks that you have the for-downstream: yes on both zones.
>>> Unbound therefore uses that zone to answer downstream, and skipping to
>>> another zone is not really what an authoritative server has to do as it
>>> is outside of bailiwick in the answer.
>> Does unbound set RA=0 on its replies in this case?
>
> Hello,
>
> thanks for explanation and the hint.
> I guess that's the problem, which breaks real world setup. Answer
> section contains RecursionAvailable flag.
> So the client doesn't do any further lookup, hence the "dead" lookup.
There is a client that depends on the RA flag for recursion or not for
lookups?
>
> It's out of my scope to suggest an fix.
> But I can tell that even queries without RD are recursed and RA flagged
> by other servers (MS, ISC) for x-auth-zone CNAME records.
> And that seems to be what clients rely on...
> And unfortunately limits the usage of unbound as frontend to a hidden
> primary.
> Ideas how this can be resolved?
Why is it that you could not do the suggested config file fix? Set for
both zones in unbound.conf for-downstream: no and for-upstream: yes and
then unbound provides recursion for these zones?
Best regards, Wouter
>
> Thanks,
>
> -harry
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190611/72360a2a/attachment.bin>
More information about the Unbound-users
mailing list