validating nxdomain for subdomains of data-less labels in auth-zone

Michael Tokarev mjt at
Tue Nov 8 19:01:23 UTC 2022


I'm not sure for the right wording used in $subject, but the issue is here,
let me describe it.

  name:     "dom"
  primary:  <primary-ip>
  zonefile: "dom.cached"
  for-downstream: no

With this config, and with "dom" containing the following
3 records (+ all the right DNSSEC ones):

  a.x A
  y   A
  b.y A

query for foo.y.dom (non-existing) return NXDOMAIN, but
query for foo.x.dom (also non-existing) return TEMPFAIL,
with the following in the log:

   unbound: [73699:0] debug: NameError response has failed to prove: covering wildcard does not exist
   unbound: [73699:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
   unbound: [73699:0] info: validate(nxdomain): sec_status_bogus

(with many other debugging info omitted).

The difference between foo.x.dom and foo.y.dom is that the
intermediate label in first case (x.dom) does not have its
own records, while in the second case (y.dom) does have an
A record. So for any subdomain of a label which does not have
its own records but which exists, unbound fails to validate

This smells like a wrong behavior?



More information about the Unbound-users mailing list