unbound replaces CNAME query with A query?

Tuomo Soini tis at foobar.fi
Fri Mar 31 12:54:05 UTC 2023

On Fri, 31 Mar 2023 13:01:28 +0200
Petr Menšík via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> I am using dnssec-trigger-0.17-7.fc36.x86_64 and 
> unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the 
> behaviour, even if I flush cache by "unbound-control flush_zone ." It
> is returning consistently CNAME with NOERROR. Does it happen only
> when the unbound does not have forwarders and is iterating itself? I
> keep getting CNAME with NOERROR.

 > $ kdig cnametest.bleve.fi. CNAME

Try the query I just listed, should work with bind dig too.
If you query  bleve.fi authoritative dns servers to get correct answer.

cname query only fails if cname target gives NXDOMAIN.

For example following query works correctly because destination of the
cname exists.

kdig _443._tcp.bleve.fi. cname

This is obviously a bug, very special case which resolver need to
handle different way than normal cname resolution. Also cloudflare,
quad9, and google resolvers seem to have same problem. Seem to be
special case not handled by most dns resolver.

dnsmasq and bind seem to be able to handle that query correctly.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Unbound-users mailing list