Hi Harry, On 6/11/19 2:14 PM, Harry Schmalzbauer wrote: > Am 11.06.2019 um 12:34 schrieb Wouter Wijngaards: > … >>> But I can tell that even queries without RD are recursed and RA flagged >>> by other servers (MS, ISC) for x-auth-zone CNAME records. >>> And that seems to be what clients rely on... >>> And unfortunately limits the usage of unbound as frontend to a hidden >>> primary. >>> Ideas how this can be resolved? >> Why is it that you could not do the suggested config file fix? Set for >> both zones in unbound.conf for-downstream: no and for-upstream: yes and >> then unbound provides recursion for these zones? > > Hello Wouter, > > this leads to the reply: > ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 37468 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; test.sample1.local. IN A > > ;; ANSWER SECTION: > > ;; AUTHORITY SECTION: > . 8 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2019061100 1800 900 604800 86400 > > ;; ADDITIONAL SECTION: > > ;; Query time: 1 msec > > This is no answer clients can hanlde. > Unfortunately, I didn't get the idea of for-downstream:no. > Which client would want a root hint? > Maybe there's something else wrong with my setup?
Did you set for-upstream: yes ? It seems to give an answer from the root zone instead of the authority zone, but I thought it would have used the authority zone. Best regards, Wouter > > Thanks, > > -harry >
signature.asc
Description: OpenPGP digital signature
