On 2022-04-19 23:33:06 +0300, Michael Tokarev wrote: > On Wed, 5 Jan 2022 16:36:40 +0100 Vincent Lefevre <vinc...@vinc17.net> wrote: > .. > > But I don't understand. The upstream nameservers are supposed to be > > used as a fallback. Even if upstream nameservers do not perform DNSSEC > > validation, this is still better than a failure when DNSSEC is not > > required. > > For the record, this is incorrect, just like has been stated in #1004032 > numerous times already. > > The upstream nameservers provided by DHCP were never supposed to be used > as a "fallback", even more, there's no _notion_ of a "fallback" in this > context. > > We EITHER use the DHCP-provided nameservers, OR we use the regular recursive > way. But not both. > > I know no recursive resolver software which has notion of "fallback" like > this.
Without resolvconf installed, it appears to work: if unbound cannot resolv the hostname, then the next nameserver in /etc/resolv.conf is used. For instance, I currently have in /etc/resolv.conf: nameserver 127.0.0.1 nameserver 192.168.1.1 If I stop unbound, then I still get hostname resolution. But if I only have nameserver 127.0.0.1 and unbound is stopped, then hostname resolution no longer works. This shows that 192.168.1.1 is used as a fallback. And something like "strace wget ... |& grep sin_addr=inet_addr" also confirms this behavior. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)