Am So., 28. Apr. 2019 um 15:38 Uhr schrieb A. Schulze via Unbound-users <[email protected]>: > Google DNS don't use qname minimization. > Only if you disable qname minimisation unbound will ask havedane.net's > nameserver for "_25._tcp.do" (dotted hostname) and get an answer.
That would imply that unbounds (1.9.0) implementation of qname minimisation is broken since debians unbound default config has qname minimisation activated. Regards Stefan Am So., 28. Apr. 2019 um 15:38 Uhr schrieb A. Schulze via Unbound-users <[email protected]>: > > > > Am 28.04.19 um 14:07 schrieb Stefan Kublinski via Unbound-users: > > Hello, > > > > I have an issue with unbound 1.9.1. > > > > I am trying to get tlsa records from domain _25._tcp.do.havedane.net > > but this fails with unbound. DNNSEC validation tools report no issues > > with that domain though. > > > > query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec > > which yields NXDOMAIN and no tlsa records, but with Google Public DNS > > $ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec > > I do get tlsa records with ad flag > > Google DNS don't use qname minimization. > > the nameserver for havedane.net return NXDOMAIN when I ask for > _tcp.do.havedane.net. > Then there can't be a _25._tcp.do.havedane.net. > > Only if you disable qname minimisation unbound will ask havedane.net's > nameserver > for "_25._tcp.do" (dotted hostname) and get an answer. > > the nameserver for havedane.net should get fixed: > > http://dnsviz.net/d/_25._tcp.do.havedane.net/dnssec/ > > Andreas
