RA flag missing on NSEC negative cache responses
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Mon Feb 16 13:01:53 UTC 2026
Hi Jürgen,
Do you have a concrete case we can look at?
Testcases in Unbound do return the RA flag when 'aggressive-nsec: yes'
is used (by default).
Maybe you are using RPZ data and you have set
'rpz-signal-nxdomain-ra: yes' [1] ?
Btw yhis option was explicitly requested to play nice with dnsmasq IIRC.
Best regards,
-- Yorgos
[1]
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-rpz-rpz-signal-nxdomain-ra
On 16/02/2026 11:12, Jürgen Stauber via Unbound-users wrote:
> Hello together,
>
> I’m running unbound as my recursive resolver and encountered various "dnsmasq: nameserver 127.0.0.1 refused to do a recursive query” error messages. After some debugging with the help of an LLM it seems that the RA flag is missing when receiving synthesized NODATA or NXDOMAIN responses from the NSEC negative cache. Now I’m not sure if this is a bug and an issue should be opened or if this intended behavior. Do you need further info to make an assessment? If so, what kind of input would help?
>
> Thanks and kind regards
> Jürgen
More information about the Unbound-users
mailing list