Hi Harry, On 6/11/19 12:19 PM, Harry Schmalzbauer wrote: > Am 11.06.2019 um 11:26 schrieb Tony Finch via Unbound-users: >> Wouter Wijngaards via Unbound-users <[email protected]> wrote: >>> The issue looks that you have the for-downstream: yes on both zones. >>> Unbound therefore uses that zone to answer downstream, and skipping to >>> another zone is not really what an authoritative server has to do as it >>> is outside of bailiwick in the answer. >> Does unbound set RA=0 on its replies in this case? > > Hello, > > thanks for explanation and the hint. > I guess that's the problem, which breaks real world setup. Answer > section contains RecursionAvailable flag. > So the client doesn't do any further lookup, hence the "dead" lookup.
There is a client that depends on the RA flag for recursion or not for lookups? > > It's out of my scope to suggest an fix. > But I can tell that even queries without RD are recursed and RA flagged > by other servers (MS, ISC) for x-auth-zone CNAME records. > And that seems to be what clients rely on... > And unfortunately limits the usage of unbound as frontend to a hidden > primary. > Ideas how this can be resolved? Why is it that you could not do the suggested config file fix? Set for both zones in unbound.conf for-downstream: no and for-upstream: yes and then unbound provides recursion for these zones? Best regards, Wouter > > Thanks, > > -harry >
signature.asc
Description: OpenPGP digital signature
