Hi Alex, As mentioned in the bugzilla ticket wrt this issue (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4147): I just committed a fix that should resolve this bug.
Thanks again for reporting!, -- Ralph On 13-08-18 17:58, Alexandre Wicquart via Unbound-users wrote: > Hello, > > > I have an issue with cname since this patch : > https://github.com/NLnetLabs/unbound/commit/2be0263dfa72f314c4cb61599f1ec7e90784da9c > > > I'm using unbound 1.7.3 with *qname-minimisation: yes *and the problem > only occurs if i ask for a CNAME on a domain having DNSSEC activated. > Most of the time i get a SERVFAIL. > > --- Example --- > > ~ # dig cname pcs-cname.eyof.ovh > > ; <<>> DiG 9.10.3-P4-Debian <<>> cname pcs-cname.eyof.ovh > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28362 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;pcs-cname.eyof.ovh. IN CNAME > > ;; Query time: 770 msec > ;; SERVER: 213.186.33.99#53(213.186.33.99) > ;; WHEN: Mon Aug 13 17:50:32 CEST 2018 > ;; MSG SIZE rcvd: 47 > --- > > it works only if > - domain has NOT DNSEC activated. > > - you ask for A instead of CNAME. > > > I finally recompiled a version of unbound 1.7.3 without this patch and i > have no more problem. > > > Are you aware of this issue ? is there an other way to correct this > problem ? Thanks. > > > Best Regards > > -- > > Alex >