Hi, Came across the curious case of a domain that appears to cause Unbound to compare responses of different qtypes in process_response during caps-for-id fallback.
This can be reproduced with Unbound 1.7.3 with qname-minimization (strict), and use-caps-for-id. $ unbound-host git.shifudao.com -t caa -v -C /usr/local/etc/unbound/unbound.conf -d -4 Adding some logging within this scope: https://github.com/NLnetLabs/unbound/blob/8aa53f027d125a586796caeee2829ec8a18dd020/iterator/iterator.c#L3547 log_dns_msg("response response->rep:", &iq->response->qinfo, iq->response->rep); log_dns_msg("response caps_reply:", &iq->response->qinfo, iq->caps_reply); shows to what appears to be Unbound comparing a CAA response (iq->response->rep) to an unrelated A response (iq->caps_reply) that appears to be involved due to qname-minimization. Since the two responses differ in their answer/authority, caps-for-id fallback fails and this results in a SERVFAIL. Output from working caps-for-id fallback: https://id-rsa.pub/good Output from failing caps-for-id fallback: https://id-rsa.pub/bad Any guidance? Thank you Alex
