On Wed, Oct 09, 2019 at 12:10:43AM -0400, Viktor Dukhovni wrote:
> What version of unbound is this?
I failed to note the bottom of your message. Unbound 1.6 is rather
old now. The current version is at least 1.9.3. Also, a parent
domain of the target:
_acme-challenge.funnel.seastrom.com. IN CNAME
_acme-challenge.funnel.seastrom.com.acme.seastrom.com.
reports NXDOMAIN:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25438
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;com.acme.seastrom.com. IN NS
that could well be in your cache.
> This sure feels like a bug, but keep in mind that with
> qname minimization one might discover NSEC or NSEC3
> records that "prove" the non-existence of the qname.
> So it is possible that your zone, (if signed) has dodgy
> NSEC records. Lack of any evidence of recursion tends
> to suggest that's the case, but a bug is also possible.
And given no signs DNSSEC for this domain, the answer is likely
more mundane. You might find that qname minimization is closer
to your expectations in more recent versions of unbound.
With 1.9.3 on my server, and qname minimization enabled temporarily,
I get:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15138
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;_acme-challenge.funnel.seastrom.com. IN CNAME
;; ANSWER SECTION:
_acme-challenge.funnel.seastrom.com. 299 IN CNAME
_acme-challenge.funnel.seastrom.com.acme.seastrom.com.
which is also the answer without qname minimization.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
