RA flag missing on NSEC negative cache responses

Mon Feb 16 14:46:00 UTC 2026

Hi Yorgos,

actually I observe the error mainly with various .cdn.cloudflare.net <http://cdn.cloudflare.net/>-domains. It seems that the behavior is specific to the cachedb module and only occurs when the cached answer's TTL has expired while the NSEC records remain cached. The synthesized NODATA/NXDOMAIN response is issued directly from the cachedb module, without the iterator-module and no RA flag is added to the response.
Manually I have trouble reproducing the issue with dig, but it is observed continuously with my dnsmasq instance.

Unbound version: 1.24.2
My module-config: validator cachedb iterator

In the logs below, you can observe two distinct unbound instances (127.0.0.1 and 192.168.1.160). One instance was patched (127.0.0.1) and the dnsmasq warning no longer pops up:

--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -724,6 +724,13 @@
 	}
 	if(!msg)
 		return 0;
+	/* fixup flags to be sensible for a reply based on the cache.
+	 * This module means that RA is available. It is an answer QR.
+	 * Not AA from cache. Not CD in cache (depends on client bit).
+	 * This is needed because val_neg_getmsg() synthesizes messages
+	 * with dns_msg_create() which only sets BIT_QR, missing BIT_RA. */
+	msg->rep->flags |= (BIT_RA | BIT_QR);
+	msg->rep->flags &= ~(BIT_AA | BIT_CD);
 	/* this is the returned msg */
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
 	qstate->return_msg = msg;

'rpz-signal-nxdomain-ra: yes’  is not set on my end - afaik it defaults to no.

Here are some dnsmasq logs that show the “issue” from dnsmasq’s perspective:

Feb 15 00:29:21 dnsmasq[1084]: query[A] connect.garmin.com from 192.168.1.188
Feb 15 00:29:21 dnsmasq[1084]: forwarded connect.garmin.com to 127.0.0.1#2053
Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is 104.17.167.14
Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is 104.17.168.14
Feb 15 00:29:22 dnsmasq[1084]: query[HTTPS] connect.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 00:29:22 dnsmasq[1084]: forwarded connect.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 00:29:22 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 02:39:32 dnsmasq[1084]: query[A] api.gcs.garmin.com from 192.168.1.188
Feb 15 02:39:32 dnsmasq[1084]: forwarded api.gcs.garmin.com to 127.0.0.1#2053
Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 02:39:33 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 02:39:33 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 02:39:33 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.150.222
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.151.222
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.152.222
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.154.222
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.153.222
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 05:50:39 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 05:50:39 dnsmasq[1084]: forwarded connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 05:50:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 05:58:39 dnsmasq[1084]: query[A] api.gcs.garmin.com from 192.168.1.188
Feb 15 05:58:39 dnsmasq[1084]: forwarded api.gcs.garmin.com to 127.0.0.1#2053
Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
Feb 15 05:58:39 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 05:58:39 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 05:58:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 06:06:52 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com from 192.168.1.188
Feb 15 06:06:52 dnsmasq[1084]: forwarded api.gcs.garmin.com to 127.0.0.1#2053
Feb 15 06:06:52 dnsmasq[1084]: query[A] api.gcs.garmin.com from 192.168.1.188
Feb 15 06:06:52 dnsmasq[1084]: forwarded api.gcs.garmin.com to 127.0.0.1#2053
Feb 15 06:06:52 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 06:06:52 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 06:06:52 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 06:06:52 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 06:06:52 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 06:14:24 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 06:14:24 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 06:14:24 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 07:15:01 dnsmasq[1084]: query[A] api.gcs.garmin.com from 192.168.1.188
Feb 15 07:15:01 dnsmasq[1084]: forwarded api.gcs.garmin.com to 127.0.0.1#2053
Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com is <CNAME>
Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com is <CNAME>
Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net is 104.17.71.10
Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net is 104.17.70.10
Feb 15 07:15:01 dnsmasq[1084]: query[HTTPS] omt.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 07:15:01 dnsmasq[1084]: forwarded omt.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 07:15:01 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 07:15:05 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 07:15:05 dnsmasq[1084]: forwarded connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 07:15:05 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 07:22:55 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
Feb 15 07:22:55 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 07:22:55 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 07:22:55 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 07:22:55 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 08:24:45 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net is 104.17.70.10
Feb 15 08:24:45 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com from 192.168.1.188
Feb 15 08:24:45 dnsmasq[1084]: forwarded connectapi.garmin.com to 127.0.0.1#2053
Feb 15 08:24:45 dnsmasq[1084]: query[A] connectapi.garmin.com from 192.168.1.188
Feb 15 08:24:45 dnsmasq[1084]: forwarded connectapi.garmin.com to 127.0.0.1#2053
Feb 15 08:24:45 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
Feb 15 08:24:45 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 08:24:45 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 08:24:45 dnsmasq[1084]: forwarded connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 08:24:45 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.154.222
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.150.222
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.151.222
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.152.222
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is 104.17.153.222
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 08:54:35 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 08:54:35 dnsmasq[1084]: forwarded connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 08:54:35 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is NODATA
Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.151.56
Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.152.56
Feb 15 10:09:38 dnsmasq[1084]: query[HTTPS] cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 10:09:38 dnsmasq[1084]: forwarded cache.dciwx.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 10:09:38 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is 104.17.167.14
Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is 104.17.168.14
Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 11:54:58 dnsmasq[1084]: query[HTTPS] connect.garmin.com.cdn.cloudflare.net from 192.168.1.218
Feb 15 11:54:58 dnsmasq[1084]: forwarded connect.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 11:54:58 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com.cdn.cloudflare.net is NODATA
Feb 15 11:59:18 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 11:59:18 dnsmasq[1084]: forwarded api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 11:59:18 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.152.56
Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.151.56
Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is NODATA
Feb 15 12:09:39 dnsmasq[1084]: query[HTTPS] cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 12:09:39 dnsmasq[1084]: forwarded cache.dciwx.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 12:09:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 12:21:09 dnsmasq[1084]: query[HTTPS] omt.garmin.com.cdn.cloudflare.net from 192.168.1.218
Feb 15 12:21:09 dnsmasq[1084]: forwarded omt.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
Feb 15 12:21:09 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a recursive query
--
Feb 15 22:57:45 dnsmasq[1084]: query[HTTPS] omt.garmin.com.cdn.cloudflare.net from 192.168.1.188
Feb 15 22:57:45 dnsmasq[1084]: forwarded omt.garmin.com.cdn.cloudflare.net to 192.168.1.160#5053
Feb 15 22:57:45 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a recursive query
--
Feb 16 06:54:02 dnsmasq[1084]: query[HTTPS] static.licdn.com.cdn.cloudflare.net from 192.168.1.188
Feb 16 06:54:02 dnsmasq[1084]: forwarded static.licdn.com.cdn.cloudflare.net to 192.168.1.160#5053
Feb 16 06:54:02 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a recursive query
--
Feb 16 08:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 16 08:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is NODATA
Feb 16 08:39:39 dnsmasq[1084]: query[HTTPS] cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
Feb 16 08:39:39 dnsmasq[1084]: forwarded cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
Feb 16 08:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a recursive query
--
Feb 16 09:39:38 dnsmasq[1084]: query[HTTPS] cache.dciwx.com from 192.168.1.188
Feb 16 09:39:38 dnsmasq[1084]: forwarded cache.dciwx.com to 192.168.1.160#5053
Feb 16 09:39:38 dnsmasq[1084]: query[A] cache.dciwx.com from 192.168.1.188
Feb 16 09:39:38 dnsmasq[1084]: forwarded cache.dciwx.com to 192.168.1.160#5053
Feb 16 09:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 16 09:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is NODATA
Feb 16 09:39:39 dnsmasq[1084]: query[HTTPS] cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
Feb 16 09:39:39 dnsmasq[1084]: forwarded cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
Feb 16 09:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a recursive query
--
Feb 16 10:39:39 dnsmasq[1084]: query[A] cache.dciwx.com from 192.168.1.188
Feb 16 10:39:39 dnsmasq[1084]: forwarded cache.dciwx.com to 192.168.1.160#5053
Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is NODATA
Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.151.56
Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net is 104.19.152.56
Feb 16 10:39:39 dnsmasq[1084]: query[HTTPS] cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
Feb 16 10:39:39 dnsmasq[1084]: forwarded cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
Feb 16 10:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a recursive query

Best regards,
Jürgen

> On 16.02.2026, at 14:01, Yorgos Thessalonikefs via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> Hi Jürgen,
> 
> Do you have a concrete case we can look at?
> Testcases in Unbound do return the RA flag when 'aggressive-nsec: yes' is used (by default).
> 
> Maybe you are using RPZ data and you have set
> 'rpz-signal-nxdomain-ra: yes' [1] ?
> Btw yhis option was explicitly requested to play nice with dnsmasq IIRC.
> 
> Best regards,
> -- Yorgos
> 
> [1] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-rpz-rpz-signal-nxdomain-ra
> 
> On 16/02/2026 11:12, Jürgen Stauber via Unbound-users wrote:
>> Hello together,
>> I’m running unbound as my recursive resolver and encountered various "dnsmasq: nameserver 127.0.0.1 refused to do a recursive query” error messages. After some debugging with the help of an LLM it seems that the RA flag is missing when receiving synthesized NODATA or NXDOMAIN responses from the NSEC negative cache. Now I’m not sure if this is a bug and an issue should be opened or if this intended behavior.  Do you need further info to make an assessment? If so, what kind of input would help?
>> Thanks and kind regards
>> Jürgen
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20260216/de36f941/attachment-0001.htm>
