Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards:
…
But I can tell that even queries without RD are recursed and RA flagged
by other servers (MS, ISC) for x-auth-zone CNAME records.
And that seems to be what clients rely on...
And unfortunately limits the usage of unbound as frontend to a hidden
primary.
Ideas how this can be resolved?
Why is it that you could not do the suggested config file fix? Set for
both zones in unbound.conf for-downstream: no and for-upstream: yes and
then unbound provides recursion for these zones?
Hello Wouter,
this leads to the reply:
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; test.sample1.local. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 8 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2019061100 1800 900 604800 86400
;; ADDITIONAL SECTION:
;; Query time: 1 msec
This is no answer clients can hanlde.
Unfortunately, I didn't get the idea of for-downstream:no.
Which client would want a root hint?
Maybe there's something else wrong with my setup?
Thanks,
-harry
