unbound replaces CNAME query with A query?
Tuomo Soini
tis at foobar.fi
Fri Mar 31 08:17:15 UTC 2023
On Thu, 30 Mar 2023 23:28:37 +0200
Christoph via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> Hi Petr,
>
> thanks for your reply and your questions.
>
> Petr Menšík via Unbound-users:
> > Correct me if I understand it not correctly. whether you query CNAME
> > or A record should not make a difference in NXDOMAIN status. But in
> > any case the answer is not there. How does it change ACME process
> > when there is NXDOMAIN and not just no-answer NOERROR response?
There really seem to be issue in unbound when querying cname.
I created test record, pointing at another domain, non-exiting name.
kdig cnametest.bleve.fi. CNAME
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 46683
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; cnametest.bleve.fi. IN CNAME
;; AUTHORITY SECTION:
bleve.fi. 3462 IN SOA
foo-ns.foobar.fi. hostmaster.foobar.fi. 1679142493 28800 7200 864000
28800
;; Received 97 B
;; Time 2023-03-31 11:13:51 EEST
;; From 2001:998:2e::1 at 53(UDP) in 0.8 ms
If I query from authoritative server directly, I get correct answer.
It looks like unbound errorously try to follow cname to non-existing
record even when cname itself is queried. CNAME should only be followed
if something != cname is queried.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Unbound-users
mailing list