Is it by design that Unbound supports NS records pointing to CNAME records?
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Fri Jan 23 14:34:16 UTC 2026
Hi Jaime,
Unbound was/is lenient on CNAMEs in NS records by design.
Since it will have to start a resolution attempt at that point, it does
not matter if it is for a CNAME or not.
Also the text in that section of the RFC 2181 could be interpreted as
targeting the auth side (servers, zone editors), at least by me now that
I read it again.
I believe Unbound was/is like that to try and resolve in such a case
that garbage-in was encountered.
Best regards,
-- Yorgos
On 19/01/2026 18:15, Jaime Hablutzel via Unbound-users wrote:
> In https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-
> compliance.html <https://unbound.docs.nlnetlabs.nl/en/latest/reference/
> rfc-compliance.html> you indicate compliance with RFC 2181, which
> forbids NS records to point to CNAME records:
>
>> 10.3. MX and NS records
>> The domain name used as the value of a NS resource record, or part of
>> the value of a MX resource record must not be an alias.
>
> But Unbound is currently supporting NS records pointing to CNAME
> records, following them in the regular way.
>
> Is this by design or is it a bug?
>
> For reference, BIND9 generates a SERVFAIL in such cases (https://
> groups.google.com/g/comp.protocols.dns.bind/c/MGJHdh7TSS4 <https://
> groups.google.com/g/comp.protocols.dns.bind/c/MGJHdh7TSS4>).
>
More information about the Unbound-users
mailing list