Hi Yorgos, On 9/24/25 10:28, Yorgos Thessalonikefs via Unbound-users wrote:
What you are seeing is qname-minimisation [1] in action. When Unbound does not yet know the delegation points in the DNS tree, it will try to slowly discover them without revealing more information than necessary to the parent domains. The query type used while doing so is "A" as you have seen. You can read more about qname minimisation in RFC 9156 [2]. Best regards, -- Yorgos [1] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-qname-minimisation [2] https://www.rfc-editor.org/rfc/rfc9156
Ok, many thanks for your answer. So this feature is a way to protect my privacy. :) I have done my tests again and of course, as you say: * with "qname-minimisation: yes" (the default) a `dig in.ac-versailles.fr CAA` failed (timeout). * with "qname-minimisation: no" a `dig in.ac-versailles.fr CAA` works. \o/ That's really interesting. We learn something new every day with DNS. :) Thanks again. Bye. -- François Lafont
