1.9.2rc1 and x-zone CNAME
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Jun 11 12:35:07 UTC 2019
Hi Harry,
On 6/11/19 2:14 PM, Harry Schmalzbauer wrote:
> Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards:
> …
>>> But I can tell that even queries without RD are recursed and RA flagged
>>> by other servers (MS, ISC) for x-auth-zone CNAME records.
>>> And that seems to be what clients rely on...
>>> And unfortunately limits the usage of unbound as frontend to a hidden
>>> primary.
>>> Ideas how this can be resolved?
>> Why is it that you could not do the suggested config file fix? Set for
>> both zones in unbound.conf for-downstream: no and for-upstream: yes and
>> then unbound provides recursion for these zones?
>
> Hello Wouter,
>
> this leads to the reply:
> ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; test.sample1.local. IN A
>
> ;; ANSWER SECTION:
>
> ;; AUTHORITY SECTION:
> . 8 IN SOA a.root-servers.net.
> nstld.verisign-grs.com. 2019061100 1800 900 604800 86400
>
> ;; ADDITIONAL SECTION:
>
> ;; Query time: 1 msec
>
> This is no answer clients can hanlde.
> Unfortunately, I didn't get the idea of for-downstream:no.
> Which client would want a root hint?
> Maybe there's something else wrong with my setup?
Did you set for-upstream: yes ?
It seems to give an answer from the root zone instead of the authority
zone, but I thought it would have used the authority zone.
Best regards, Wouter
>
> Thanks,
>
> -harry
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190611/1687c351/attachment.bin>
More information about the Unbound-users
mailing list