1.9.2rc1 and x-zone CNAME

Harry Schmalzbauer list.unbound at omnilan.de
Tue Jun 11 12:14:30 UTC 2019


Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards:
…
>> But I can tell that even queries without RD are recursed and RA flagged
>> by other servers (MS, ISC) for x-auth-zone CNAME records.
>> And that seems to be what clients rely on...
>> And unfortunately limits the usage of unbound as frontend to a hidden
>> primary.
>> Ideas how this can be resolved?
> Why is it that you could not do the suggested config file fix?  Set for
> both zones in unbound.conf for-downstream: no and for-upstream: yes and
> then unbound provides recursion for these zones?

Hello Wouter,

this leads to the reply:
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; test.sample1.local.    IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       8       IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2019061100 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 1 msec

This is no answer clients can hanlde.
Unfortunately, I didn't get the idea of for-downstream:no.
Which client would want a root hint?
Maybe there's something else wrong with my setup?

Thanks,

-harry





More information about the Unbound-users mailing list