> I'm seeing libunbound query results differ depending on cache > results for an improperly-configured domain. I'm wondering what > options are available to mitigate this.
"Fix the improperly configured domain?" :) The .org zone delegates to ryanjanzen.org. 86400 IN NS dns.domainsatcost.ca. ryanjanzen.org. 86400 IN NS dns2.domainsatcost.ca. Those two however returns the following NS set: ryanjanzen.org. 3600 IN NS ns1.a2hosting.com. ryanjanzen.org. 3600 IN NS ns2.a2hosting.com. And again those two name servers presents an NS RRset with two more name servers: ryanjanzen.org. 86400 IN NS ns4.a2hosting.com. ryanjanzen.org. 86400 IN NS ns3.a2hosting.com. ryanjanzen.org. 86400 IN NS ns1.a2hosting.com. ryanjanzen.org. 86400 IN NS ns2.a2hosting.com. I bet the first two ones are not in sync (secondary name servers) of the a2hosting.com servers (confirmed with dig @dns2.domainsatcost.ca. ryanjanzen.org. soa +norec dig @ns1.a2hosting.com. ryanjanzen.org. soa +norec ), so when you ask your recursor about something else from that zone it depends on whether caching state for these NS records which name server your recursor will end up querying, and you may get different results depending on this. There is basically nothing scaleable you as recursive resolver operator can do about these types of errors -- it's all up to the domain owner and the control he has over the zone publishing to fix this properly. Regards, - HÃ¥vard
