unbound replaces CNAME query with A query?
pemensik at redhat.com
Fri Mar 31 13:57:46 UTC 2023
On 3/31/23 14:54, Tuomo Soini wrote:
> On Fri, 31 Mar 2023 13:01:28 +0200
> Petr Menšík via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>> I am using dnssec-trigger-0.17-7.fc36.x86_64 and
>> unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the
>> behaviour, even if I flush cache by "unbound-control flush_zone ." It
>> is returning consistently CNAME with NOERROR. Does it happen only
>> when the unbound does not have forwarders and is iterating itself? I
>> keep getting CNAME with NOERROR.
> > $ kdig cnametest.bleve.fi. CNAME
> Try the query I just listed, should work with bind dig too.
> If you query bleve.fi authoritative dns servers to get correct answer.
> cname query only fails if cname target gives NXDOMAIN.
I have tried on my unbound and it never returns NXDOMAIN to me. The
result is the same with kdig or dig, that makes no difference. I get
NOERROR, not NXDOMAIN.
$ kdig cnametest.bleve.fi. CNAME | head -2
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35718
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
> For example following query works correctly because destination of the
> cname exists.
> kdig _443._tcp.bleve.fi. cname
> This is obviously a bug, very special case which resolver need to
> handle different way than normal cname resolution. Also cloudflare,
> quad9, and google resolvers seem to have same problem. Seem to be
> special case not handled by most dns resolver.
> dnsmasq and bind seem to be able to handle that query correctly.
dnsmasq does not handle CNAMEs at all. It requires upstream recursive
server to do the job and just passes the result to a client. bind can to
proper iteration job from root hints however.
If it is a bug, I would suggest creating issue at
But maybe more precise steps should be described when it returns
NXDOMAIN. Just flushing the cache and doing your query does not seem to
be enough for me.
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
More information about the Unbound-users