validating nxdomain for subdomains of data-less labels in auth-zone

George (Yorgos) Thessalonikefs george at
Fri Nov 11 14:19:38 UTC 2022

This does sound like a bug for auth-zone then.
I don't have time to replicate atm but could you open an issue for it?

Also, is this NSEC or NSEC3?

Best regards,
-- Yorgos

On 11/11/2022 15:09, Michael Tokarev wrote:
> 11.11.2022 16:54, George (Yorgos) Thessalonikefs wrote:
>> Now I spot that this is auth-zone.
> Yes it is auth-zone.  It is set up this way because it is a remote 
> office with
> somewhat flaky connectivity and I thought about always having whole 
> thing locally
> instead of relying for the upstream during all the runtime.
>> Which version of Unbound is that?
> It is 1.16.3 currently.  I thought about giving 1.17 a try, - upgraded 
> to 1.17.0,
> with exactly the same effect. (It is Debian package of Unbound, - I'm 
> trying to
> keep it current in Debian).
>> I would first try with stub-zone instead and point to the NSD instance 
>> you mentioned.
> The stub-zone works, it worked for many years (with not a best 
> reliability, see
> above).  I just tested it again - switching from auth-zone to stub-zone 
> with the
> same stub-address works just fine.
> It is only the auth-zone which dosn't work - I removed the temporary TXT 
> record and
> it started failing again.
> Thanks!
> /mjt

More information about the Unbound-users mailing list