unbound replaces CNAME query with A query?

Tuomo Soini tis at foobar.fi
Fri Mar 31 08:17:15 UTC 2023

On Thu, 30 Mar 2023 23:28:37 +0200
Christoph via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> Hi Petr,
> thanks for your reply and your questions.
> Petr Menšík via Unbound-users:
> > Correct me if I understand it not correctly. whether you query CNAME
> > or A record should not make a difference in NXDOMAIN status. But in
> > any case the answer is not there. How does it change ACME process
> > when there is NXDOMAIN and not just no-answer NOERROR response?  

There really seem to be issue in unbound when querying cname.

I created test record, pointing at another domain, non-exiting name.

kdig cnametest.bleve.fi. CNAME

;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 46683
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

;; cnametest.bleve.fi. 		IN	CNAME

bleve.fi.           	3462	IN	SOA
foo-ns.foobar.fi. hostmaster.foobar.fi. 1679142493 28800 7200 864000

;; Received 97 B
;; Time 2023-03-31 11:13:51 EEST
;; From 2001:998:2e::1 at 53(UDP) in 0.8 ms

If I query from authoritative server directly, I get correct answer.

It looks like unbound errorously try to follow cname to non-existing
record even when cname itself is queried. CNAME should only be followed
if something != cname is queried.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Unbound-users mailing list