On Dec 17, 2011, at 2:20 AM, Mike Cardwell wrote: > On 17/12/11 00:04, Anand Buddhdev wrote: >>> Is matt.io's DNS configuration broken, or is Unbound broken? >> >> The DNS setup of matt.io is broken. They've made the well-known >> mistake of mixing a CNAME record with other records:
Unfortunately, this scenario (CNAME and other data, particularly at the zone apex) is increasingly common as a result of web hosting scenarios despite the restrictions in the DNS specs. There was at least on attempt to standardize behavior (http://tools.ietf.org/html/draft-sury-dnsext-cname-at-apex-00), but I gather it withered on the vine. > Ah, I see. I'll contact him and let him know. Can anyone explain why > these two results differ for me? > > mike@server:~$ dig +short ns matt.io > mike@server:~$ dig +short +cd ns matt.io > eb.blagomatic.com. > mike@server:~$ > > I understand that his zone is broken, but why does that make Unbound > return a different response depending on whether or not DNSSEC is > enabled? He might have noticed this problem earlier if Unbound refused > to return an address even with DNSSEC disabled... Since CNAME and other data is explicitly disallowed in RFC 1035, any behavior, up to and including packets exploding in an Earth-Shattering Kaboom, should't be surprising. I'd agree that the inconsistency between DNSSEC/non-DNSSEC is unexpected, but you know what they say about the Spanish Inquisition... Regards, -drc _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
