Problem with undead upstrems
Paul Wouters
paul at nohats.ca
Mon Feb 27 16:33:06 UTC 2023
On Mon, 27 Feb 2023, Florian Streibelt via Unbound-users wrote:
> No, again that is not my issue.
>
> All of the servers that dns.com operates are dropping queries for the
> Ressource Record Type DS.
>
> They are the authoritative servers for dns.com as well as for the parent zone
> of the zone our customer wants to resolve and the zone itself.
>
> We are providing recursion for our customer.
Then if they do not respond properly for DS records or with proof of
non-existence, then that implementation is broken and there is not much
you can do. But this means they should also fail to work for google dns
on 8.8.8.8, or on quad9 at 9.9.9.9. That is, your customer should really
move their domain elsewhere.
Perhaps you can try a local override, eg:
local-zone: <your-parentzone> ds always_nxdomain
local-zone: <your-customerzone> ds always_nxdomain
But I don't really know if that will work.
Another option might be to run an unbound instance with val-permissive-mode=yes
and then on your regular resolver, use a forward-zone: for your
parentzone and customer zone to that unbound instance.
Paul
More information about the Unbound-users
mailing list