Am 11.06.2019 um 11:26 schrieb Tony Finch via Unbound-users:
Wouter Wijngaards via Unbound-users <unbound-users@nlnetlabs.nl> wrote:
The issue looks that you have the for-downstream: yes on both zones.
Unbound therefore uses that zone to answer downstream, and skipping to
another zone is not really what an authoritative server has to do as it
is outside of bailiwick in the answer.
Does unbound set RA=0 on its replies in this case?
Hello,
thanks for explanation and the hint.
I guess that's the problem, which breaks real world setup. Answer
section contains RecursionAvailable flag.
So the client doesn't do any further lookup, hence the "dead" lookup.
It's out of my scope to suggest an fix.
But I can tell that even queries without RD are recursed and RA flagged
by other servers (MS, ISC) for x-auth-zone CNAME records.
And that seems to be what clients rely on...
And unfortunately limits the usage of unbound as frontend to a hidden
primary.
Ideas how this can be resolved?
Thanks,
-harry
