validating nxdomain for subdomains of data-less labels in auth-zone
George (Yorgos) Thessalonikefs
george at nlnetlabs.nl
Fri Nov 11 14:19:38 UTC 2022
This does sound like a bug for auth-zone then.
I don't have time to replicate atm but could you open an issue for it?
Also, is this NSEC or NSEC3?
Best regards,
-- Yorgos
On 11/11/2022 15:09, Michael Tokarev wrote:
> 11.11.2022 16:54, George (Yorgos) Thessalonikefs wrote:
>> Now I spot that this is auth-zone.
>
> Yes it is auth-zone. It is set up this way because it is a remote
> office with
> somewhat flaky connectivity and I thought about always having whole
> thing locally
> instead of relying for the upstream during all the runtime.
>
>> Which version of Unbound is that?
>
> It is 1.16.3 currently. I thought about giving 1.17 a try, - upgraded
> to 1.17.0,
> with exactly the same effect. (It is Debian package of Unbound, - I'm
> trying to
> keep it current in Debian).
>
>> I would first try with stub-zone instead and point to the NSD instance
>> you mentioned.
>
> The stub-zone works, it worked for many years (with not a best
> reliability, see
> above). I just tested it again - switching from auth-zone to stub-zone
> with the
> same stub-address works just fine.
>
> It is only the auth-zone which dosn't work - I removed the temporary TXT
> record and
> it started failing again.
>
> Thanks!
>
> /mjt
More information about the Unbound-users
mailing list