1.9.2rc1 and x-zone CNAME

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Jun 11 12:43:11 UTC 2019


Hi Harry,

On 6/11/19 2:35 PM, Wouter Wijngaards via Unbound-users wrote:
> Hi Harry,
> 
> On 6/11/19 2:14 PM, Harry Schmalzbauer wrote:
>> Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards:
>>>>>> But I can tell that even queries without RD are recursed and RA flagged
>>>> by other servers (MS, ISC) for x-auth-zone CNAME records.
>>>> And that seems to be what clients rely on...
>>>> And unfortunately limits the usage of unbound as frontend to a hidden
>>>> primary.
>>>> Ideas how this can be resolved?
>>> Why is it that you could not do the suggested config file fix?  Set for
>>> both zones in unbound.conf for-downstream: no and for-upstream: yes and
>>> then unbound provides recursion for these zones?
>>
>> Hello Wouter,
>>
>> this leads to the reply:
>> ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468
>> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;; test.sample1.local.    IN      A
>>
>> ;; ANSWER SECTION:
>>
>> ;; AUTHORITY SECTION:
>> .       8       IN      SOA     a.root-servers.net.
>> nstld.verisign-grs.com. 2019061100 1800 900 604800 86400
>>
>> ;; ADDITIONAL SECTION:
>>
>> ;; Query time: 1 msec
>>
>> This is no answer clients can hanlde.
>> Unfortunately, I didn't get the idea of for-downstream:no.
>> Which client would want a root hint?
>> Maybe there's something else wrong with my setup?
> 
> Did you set for-upstream: yes ?
> 
> It seems to give an answer from the root zone instead of the authority
> zone, but I thought it would have used the authority zone.

To answer myself, do you have a forward-zone?  For me it then works if a
stub-zone exists (above the name).  So, two entries of stub-zone: name:
"sample1.local" and stub-zone: name: "sample2.local" would make it work
for me.  The issue is that unbound with a forward-zone, does not think
that it should perform recursion so getting data from the authority zone
is not what it wants, because the upstream recursor is doing the recursion.

Best regards, Wouter

> 
> Best regards, Wouter
> 
>>
>> Thanks,
>>
>> -harry
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190611/a0cd2413/attachment.bin>


More information about the Unbound-users mailing list