RA flag missing on NSEC negative cache responses
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Mon Feb 16 15:39:24 UTC 2026
Hi Jürgen,
Not sure if the logs are correct since I see both IPs respond the same
with the "refused to do a recursive query" message.
Other than that, your analysis and pinpointing the issue seems correct.
We have chosen a different approach when to set the RA flag though:
https://github.com/NLnetLabs/unbound/commit/014ed9c5ff393d9d10a92e85e7cac080253b968b.
If you could test and verify that would be great.
Best regards,
-- Yorgos
On 16/02/2026 15:46, Jürgen Stauber wrote:
> Hi Yorgos,
>
> actually I observe the error mainly with various .cdn.cloudflare.net
> <http://cdn.cloudflare.net/>-domains. It seems that the behavior is
> specific to the cachedb module and only occurs when the cached answer's
> TTL has expired while the NSEC records remain cached. The synthesized
> NODATA/NXDOMAIN response is issued directly from the cachedb module,
> without the iterator-module and no RA flag is added to the response.
> Manually I have trouble reproducing the issue with dig, but it is
> observed continuously with my dnsmasq instance.
>
> Unbound version: 1.24.2
> My module-config: validator cachedb iterator
>
> In the logs below, you can observe two distinct unbound instances
> (127.0.0.1 and 192.168.1.160). One instance was patched (127.0.0.1) and
> the dnsmasq warning no longer pops up:
>
> --- a/cachedb/cachedb.c
> +++ b/cachedb/cachedb.c
> @@ -724,6 +724,13 @@
> }
> if(!msg)
> return 0;
> +/* fixup flags to be sensible for a reply based on the cache.
> + * This module means that RA is available. It is an answer QR.
> + * Not AA from cache. Not CD in cache (depends on client bit).
> + * This is needed because val_neg_getmsg() synthesizes messages
> + * with dns_msg_create() which only sets BIT_QR, missing BIT_RA. */
> +msg->rep->flags |= (BIT_RA | BIT_QR);
> +msg->rep->flags &= ~(BIT_AA | BIT_CD);
> /* this is the returned msg */
> qstate->return_rcode = LDNS_RCODE_NOERROR;
> qstate->return_msg = msg;
>
> 'rpz-signal-nxdomain-ra: yes’ is not set on my end - afaik it defaults
> to no.
>
> Here are some dnsmasq logs that show the “issue” from dnsmasq’s perspective:
>
> Feb 15 00:29:21 dnsmasq[1084]: query[A] connect.garmin.com from
> 192.168.1.188
> Feb 15 00:29:21 dnsmasq[1084]: forwarded connect.garmin.com to
> 127.0.0.1#2053
> Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
> Feb 15 00:29:21 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 00:29:21 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
> Feb 15 00:29:21 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is 104.17.167.14
> Feb 15 00:29:21 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is 104.17.168.14
> Feb 15 00:29:22 dnsmasq[1084]: query[HTTPS]
> connect.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 00:29:22 dnsmasq[1084]: forwarded
> connect.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 00:29:22 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 02:39:32 dnsmasq[1084]: query[A] api.gcs.garmin.com from
> 192.168.1.188
> Feb 15 02:39:32 dnsmasq[1084]: forwarded api.gcs.garmin.com to
> 127.0.0.1#2053
> Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 02:39:33 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
> Feb 15 02:39:33 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
> Feb 15 02:39:33 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 02:39:33 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 02:39:33 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 02:39:33 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 02:39:33 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.150.222
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.151.222
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.152.222
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.154.222
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.153.222
> Feb 15 05:50:39 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
> Feb 15 05:50:39 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 05:50:39 dnsmasq[1084]: query[HTTPS]
> connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 05:50:39 dnsmasq[1084]: forwarded
> connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 05:50:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 05:58:39 dnsmasq[1084]: query[A] api.gcs.garmin.com from
> 192.168.1.188
> Feb 15 05:58:39 dnsmasq[1084]: forwarded api.gcs.garmin.com to
> 127.0.0.1#2053
> Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 05:58:39 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 05:58:39 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 05:58:39 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
> Feb 15 05:58:39 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
> Feb 15 05:58:39 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 05:58:39 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 05:58:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 06:06:52 dnsmasq[1084]: query[HTTPS] api.gcs.garmin.com from
> 192.168.1.188
> Feb 15 06:06:52 dnsmasq[1084]: forwarded api.gcs.garmin.com to
> 127.0.0.1#2053
> Feb 15 06:06:52 dnsmasq[1084]: query[A] api.gcs.garmin.com from
> 192.168.1.188
> Feb 15 06:06:52 dnsmasq[1084]: forwarded api.gcs.garmin.com to
> 127.0.0.1#2053
> Feb 15 06:06:52 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 06:06:52 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 06:06:52 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 06:06:52 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 06:06:52 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 06:14:24 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
> Feb 15 06:14:24 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
> Feb 15 06:14:24 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 06:14:24 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 06:14:24 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 06:14:24 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 06:14:24 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 07:15:01 dnsmasq[1084]: query[A] api.gcs.garmin.com from
> 192.168.1.188
> Feb 15 07:15:01 dnsmasq[1084]: forwarded api.gcs.garmin.com to
> 127.0.0.1#2053
> Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com is <CNAME>
> Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net
> is NODATA
> Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com is <CNAME>
> Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net
> is 104.17.71.10
> Feb 15 07:15:01 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net
> is 104.17.70.10
> Feb 15 07:15:01 dnsmasq[1084]: query[HTTPS]
> omt.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 07:15:01 dnsmasq[1084]: forwarded
> omt.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 07:15:01 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 07:15:05 dnsmasq[1084]: query[HTTPS]
> connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 07:15:05 dnsmasq[1084]: forwarded
> connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 07:15:05 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 07:22:55 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
> Feb 15 07:22:55 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 07:22:55 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
> Feb 15 07:22:55 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
> Feb 15 07:22:55 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 07:22:55 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 07:22:55 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 07:22:55 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 07:22:55 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 08:24:45 dnsmasq[1084]: reply omt.garmin.com.cdn.cloudflare.net
> is 104.17.70.10
> Feb 15 08:24:45 dnsmasq[1084]: query[HTTPS] connectapi.garmin.com from
> 192.168.1.188
> Feb 15 08:24:45 dnsmasq[1084]: forwarded connectapi.garmin.com to
> 127.0.0.1#2053
> Feb 15 08:24:45 dnsmasq[1084]: query[A] connectapi.garmin.com from
> 192.168.1.188
> Feb 15 08:24:45 dnsmasq[1084]: forwarded connectapi.garmin.com to
> 127.0.0.1#2053
> Feb 15 08:24:45 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
> Feb 15 08:24:45 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 08:24:45 dnsmasq[1084]: query[HTTPS]
> connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 08:24:45 dnsmasq[1084]: forwarded
> connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 08:24:45 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.154.222
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.150.222
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.151.222
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.152.222
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is 104.17.153.222
> Feb 15 08:54:35 dnsmasq[1084]: reply connectapi.garmin.com is <CNAME>
> Feb 15 08:54:35 dnsmasq[1084]: reply
> connectapi.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 08:54:35 dnsmasq[1084]: query[HTTPS]
> connectapi.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 08:54:35 dnsmasq[1084]: forwarded
> connectapi.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 08:54:35 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is NODATA
> Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.151.56
> Feb 15 10:09:38 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.152.56
> Feb 15 10:09:38 dnsmasq[1084]: query[HTTPS]
> cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 10:09:38 dnsmasq[1084]: forwarded
> cache.dciwx.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 10:09:38 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
> Feb 15 11:54:58 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is 104.17.167.14
> Feb 15 11:54:58 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is 104.17.168.14
> Feb 15 11:54:58 dnsmasq[1084]: reply connect.garmin.com is <CNAME>
> Feb 15 11:54:58 dnsmasq[1084]: reply
> connect.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 11:54:58 dnsmasq[1084]: query[HTTPS]
> connect.garmin.com.cdn.cloudflare.net from 192.168.1.218
> Feb 15 11:54:58 dnsmasq[1084]: forwarded
> connect.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 11:54:58 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 11:59:18 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.8.45
> Feb 15 11:59:18 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is 104.16.9.45
> Feb 15 11:59:18 dnsmasq[1084]: reply api.gcs.garmin.com is <CNAME>
> Feb 15 11:59:18 dnsmasq[1084]: reply
> api.gcs.garmin.com.cdn.cloudflare.net is NODATA
> Feb 15 11:59:18 dnsmasq[1084]: query[HTTPS]
> api.gcs.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 11:59:18 dnsmasq[1084]: forwarded
> api.gcs.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 11:59:18 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.152.56
> Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.151.56
> Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 15 12:09:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is NODATA
> Feb 15 12:09:39 dnsmasq[1084]: query[HTTPS]
> cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 12:09:39 dnsmasq[1084]: forwarded
> cache.dciwx.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 12:09:39 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 12:21:09 dnsmasq[1084]: query[HTTPS]
> omt.garmin.com.cdn.cloudflare.net from 192.168.1.218
> Feb 15 12:21:09 dnsmasq[1084]: forwarded
> omt.garmin.com.cdn.cloudflare.net to 127.0.0.1#2053
> Feb 15 12:21:09 dnsmasq[1084]: nameserver 127.0.0.1 refused to do a
> recursive query
> --
> Feb 15 22:57:45 dnsmasq[1084]: query[HTTPS]
> omt.garmin.com.cdn.cloudflare.net from 192.168.1.188
> Feb 15 22:57:45 dnsmasq[1084]: forwarded
> omt.garmin.com.cdn.cloudflare.net to 192.168.1.160#5053
> Feb 15 22:57:45 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a
> recursive query
> --
> Feb 16 06:54:02 dnsmasq[1084]: query[HTTPS]
> static.licdn.com.cdn.cloudflare.net from 192.168.1.188
> Feb 16 06:54:02 dnsmasq[1084]: forwarded
> static.licdn.com.cdn.cloudflare.net to 192.168.1.160#5053
> Feb 16 06:54:02 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a
> recursive query
> --
> Feb 16 08:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 16 08:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is NODATA
> Feb 16 08:39:39 dnsmasq[1084]: query[HTTPS]
> cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
> Feb 16 08:39:39 dnsmasq[1084]: forwarded
> cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
> Feb 16 08:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a
> recursive query
> --
> Feb 16 09:39:38 dnsmasq[1084]: query[HTTPS] cache.dciwx.com from
> 192.168.1.188
> Feb 16 09:39:38 dnsmasq[1084]: forwarded cache.dciwx.com to
> 192.168.1.160#5053
> Feb 16 09:39:38 dnsmasq[1084]: query[A] cache.dciwx.com from 192.168.1.188
> Feb 16 09:39:38 dnsmasq[1084]: forwarded cache.dciwx.com to
> 192.168.1.160#5053
> Feb 16 09:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 16 09:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is NODATA
> Feb 16 09:39:39 dnsmasq[1084]: query[HTTPS]
> cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
> Feb 16 09:39:39 dnsmasq[1084]: forwarded
> cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
> Feb 16 09:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a
> recursive query
> --
> Feb 16 10:39:39 dnsmasq[1084]: query[A] cache.dciwx.com from 192.168.1.188
> Feb 16 10:39:39 dnsmasq[1084]: forwarded cache.dciwx.com to
> 192.168.1.160#5053
> Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is NODATA
> Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com is <CNAME>
> Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.151.56
> Feb 16 10:39:39 dnsmasq[1084]: reply cache.dciwx.com.cdn.cloudflare.net
> is 104.19.152.56
> Feb 16 10:39:39 dnsmasq[1084]: query[HTTPS]
> cache.dciwx.com.cdn.cloudflare.net from 192.168.1.188
> Feb 16 10:39:39 dnsmasq[1084]: forwarded
> cache.dciwx.com.cdn.cloudflare.net to 192.168.1.160#5053
> Feb 16 10:39:39 dnsmasq[1084]: nameserver 192.168.1.160 refused to do a
> recursive query
>
> Best regards,
> Jürgen
>
>> On 16.02.2026, at 14:01, Yorgos Thessalonikefs via Unbound-users
>> <unbound-users at lists.nlnetlabs.nl> wrote:
>>
>> Hi Jürgen,
>>
>> Do you have a concrete case we can look at?
>> Testcases in Unbound do return the RA flag when 'aggressive-nsec: yes'
>> is used (by default).
>>
>> Maybe you are using RPZ data and you have set
>> 'rpz-signal-nxdomain-ra: yes' [1] ?
>> Btw yhis option was explicitly requested to play nice with dnsmasq IIRC.
>>
>> Best regards,
>> -- Yorgos
>>
>> [1] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/
>> unbound.conf.html#unbound-conf-rpz-rpz-signal-nxdomain-ra
>>
>> On 16/02/2026 11:12, Jürgen Stauber via Unbound-users wrote:
>>> Hello together,
>>> I’m running unbound as my recursive resolver and encountered various
>>> "dnsmasq: nameserver 127.0.0.1 refused to do a recursive query” error
>>> messages. After some debugging with the help of an LLM it seems that
>>> the RA flag is missing when receiving synthesized NODATA or NXDOMAIN
>>> responses from the NSEC negative cache. Now I’m not sure if this is a
>>> bug and an issue should be opened or if this intended behavior. Do
>>> you need further info to make an assessment? If so, what kind of
>>> input would help?
>>> Thanks and kind regards
>>> Jürgen
>>
>
More information about the Unbound-users
mailing list