Why is Unbound not like a `dig +trace`?
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Wed Sep 24 09:53:01 UTC 2025
Hi François,
On 24/09/2025 11:16, François Lafont via Unbound-users wrote:
> I have done my tests again and of course, as you say:
>
> * with "qname-minimisation: yes" (the default) a `dig in.ac-
> versailles.fr CAA` failed (timeout).
> * with "qname-minimisation: no" a `dig in.ac-versailles.fr CAA` works. \o/
>
> That's really interesting. We learn something new every day with DNS. :)
> Thanks again.
You can still learn a little more here!
You shouldn't be getting a timeout with qname-minimisation enabled!
The domain in.ac-versailles.fr is not properly configured and when asked
with "in.ac-versailles.fr A" it will return a delegation with designated
servers at:
prd-dns-int-01.in.ac-versailles.fr, and
prd-dns-int-02.in.ac-versailles.fr
Those servers do not seem to reply and cause the timeout you encounter
with dig.
qname-minimisation exposes broken delegations by its way of operation.
Now, why do the ac-versailles.fr nameservers reply with a NODATA answer
specifically for "in.ac-versailles.fr CAA" queries only, I don't know.
Best regards,
-- Yorgos
More information about the Unbound-users
mailing list