RA flag missing on NSEC negative cache responses
Jürgen Stauber
juergen at stauber.io
Mon Feb 16 10:12:05 UTC 2026
Hello together,
I’m running unbound as my recursive resolver and encountered various "dnsmasq: nameserver 127.0.0.1 refused to do a recursive query” error messages. After some debugging with the help of an LLM it seems that the RA flag is missing when receiving synthesized NODATA or NXDOMAIN responses from the NSEC negative cache. Now I’m not sure if this is a bug and an issue should be opened or if this intended behavior. Do you need further info to make an assessment? If so, what kind of input would help?
Thanks and kind regards
Jürgen
More information about the Unbound-users
mailing list