1.9.2rc1 and x-zone CNAME

Harry Schmalzbauer list.unbound at omnilan.de
Tue Jun 11 13:03:42 UTC 2019


Am 11.06.2019 um 14:35 schrieb Wouter Wijngaards:
> Hi Harry,
>
> On 6/11/19 2:14 PM, Harry Schmalzbauer wrote:
>> Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards:
>>>>>> But I can tell that even queries without RD are recursed and RA flagged
>>>> by other servers (MS, ISC) for x-auth-zone CNAME records.
>>>> And that seems to be what clients rely on...
>>>> And unfortunately limits the usage of unbound as frontend to a hidden
>>>> primary.
>>>> Ideas how this can be resolved?
>>> Why is it that you could not do the suggested config file fix?  Set for
>>> both zones in unbound.conf for-downstream: no and for-upstream: yes and
>>> then unbound provides recursion for these zones?
>> Hello Wouter,
>>
>> this leads to the reply:
>> ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468
>> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;; test.sample1.local.    IN      A
>>
>> ;; ANSWER SECTION:
>>
>> ;; AUTHORITY SECTION:
>> .       8       IN      SOA     a.root-servers.net.
>> nstld.verisign-grs.com. 2019061100 1800 900 604800 86400
>>
>> ;; ADDITIONAL SECTION:
>>
>> ;; Query time: 1 msec
>>
>> This is no answer clients can hanlde.
>> Unfortunately, I didn't get the idea of for-downstream:no.
>> Which client would want a root hint?
>> Maybe there's something else wrong with my setup?
> Did you set for-upstream: yes ?
>
> It seems to give an answer from the root zone instead of the authority
> zone, but I thought it would have used the authority zone.

Hello Wouter,

thanks for the quick reply!  I do have for-upstream: yes in my config.
I always wondered why for-upstream: yes and for-downstream: no only 
results in root zone hint.
As soon as I set for-downstream: yes, I get the expected answers with aa 
flag from the corresponding zone, but like mentioned with the CNAME problem.
Is unbound with setting for-downstream: no supposed to reply with an 
answer from zone?

Thanks,

-harry





More information about the Unbound-users mailing list