Problem with undead upstrems
he at uninett.no
Mon Feb 27 13:00:44 UTC 2023
> I am new to unbound and this list, but was unable to find a solution
> for my problem in the documentation and by searching.
> My issue is a set of authoritative nameservers that host a domain a
> customer tries to resolve.
> Everything works fine, until we try to resolve a DS record within that
> zone. All queries for DS are being ignored by the authoritatives of
> that domain and just get dropped without any answer. Thus unbound
> marks all of the servers unresponsive and will refuse to resolve
> anything within that zone, although queries for other record types are
> happily answered by the servers.
I suspect you are falling victim to one of the more odd and
perhaps unexpected quirks of DNSSEC.
The DS records for a given name are in fact not authoritative in
the zone named by the owner name of the DS record, but are
instead authoritative in the parent (delegating) zone(!)
All the other record types (including DNSKEY) for that name are
authoritative in the zone named by that same name.
Hope this helps you figuring out the rest.
More information about the Unbound-users