Hi. I read reports about qname minimisation and SERVFAIL responses in the list archive, but maybe this is different.
For me, the problem is NXDOMAIN responses for a CNAME query where the CNAME itself exists but its target does not and the record is not in the cache. Unbound version is 1.7.3. I'm a bit unclear on what the correct response to explicit CNAME queries should be. The queries are made by a script to find the right hostname for dynamic updates. On an empty cache, the query returns NXDOMAIN with the CNAME in the answer section: | # unbound-control flush_zone openchaos.org | ok removed 31 rrsets, 12 messages and 4 key entries | | # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4 | | ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23947 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 65432 | ;; QUESTION SECTION: | ;_acme-challenge.dnsdist.openchaos.org. IN CNAME | | ;; ANSWER SECTION: | _acme-challenge.dnsdist.openchaos.org. 3600 IN CNAME dnsdist._acme-challenge.openchaos.org. | | ;; AUTHORITY SECTION: | _acme-challenge.openchaos.org. 60 IN SOA ns2.hauke-lampe.de. hostmaster.hauke-lampe.de. 13 86400 10800 604800 60 The _acme-challenge subdomain is unsigned, so I guess that explains the "DNSSEC LAME" messages in the log? Why is unbound trying to follow the CNAME, anyway? | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: resolving org. DNSKEY IN | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <org.> 199.19.53.1#53 | unbound: query response was REFERRAL | unbound: resolving openchaos.org. DNSKEY IN | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53 | unbound: query response was ANSWER | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <openchaos.org.> 85.10.240.254#53 | unbound: query response was CNAME | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <openchaos.org.> 2a01:4f8:141:282::e:1#53 | unbound: query response was DNSSEC LAME | unbound: response for openchaos.org. DNSKEY IN | unbound: reply from <openchaos.org.> 89.18.172.35#53 | unbound: query response was ANSWER | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <openchaos.org.> 2400:6180:0:d0::12:6002#53 | unbound: query response was REFERRAL | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <_acme-challenge.openchaos.org.> 85.10.240.254#53 | unbound: query response was NXDOMAIN ANSWER | unbound: validated DS openchaos.org. DS IN | unbound: resolving openchaos.org. DNSKEY IN | unbound: validated DNSKEY openchaos.org. DNSKEY IN | unbound: validate(cname): sec_status_secure | unbound: NSEC RRset for the referral proved no DS. | unbound: Verified that unsigned response is INSECURE A while later, the same query results in NOERROR (+ad flag) from the cache: | # dig _acme-challenge.dnsdist.openchaos.org. CNAME @10.42.22.4 | | ; <<>> DiG 9.13.2 <<>> _acme-challenge.dnsdist.openchaos.org. CNAME | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17071 | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 65432 | ;; QUESTION SECTION: | ;_acme-challenge.dnsdist.openchaos.org. IN CNAME | | ;; ANSWER SECTION: | _acme-challenge.dnsdist.openchaos.org. 3426 IN CNAME dnsdist._acme-challenge.openchaos.org. | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: validate(positive): sec_status_secure | unbound: validation success _acme-challenge.dnsdist.openchaos.org. CNAME IN With qname-minimisation disabled, the answer is always NOERROR. The log suggests that unbound doesn't even try to follow the CNAME: | unbound: 10.42.22.4 _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: resolving _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: resolving org. DNSKEY IN | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <org.> 2001:500:40::1#53 | unbound: query response was REFERRAL | unbound: resolving openchaos.org. DNSKEY IN | unbound: response for _acme-challenge.dnsdist.openchaos.org. CNAME IN | unbound: reply from <openchaos.org.> 85.10.240.254#53 | unbound: query response was ANSWER | unbound: validated DS openchaos.org. DS IN | unbound: response for openchaos.org. DNSKEY IN | unbound: reply from <openchaos.org.> 2605:6400:2:fed5:22:0:febc:b1d0#53 | unbound: query response was ANSWER | unbound: validated DNSKEY openchaos.org. DNSKEY IN | unbound: validate(positive): sec_status_secure | unbound: validation success _acme-challenge.dnsdist.openchaos.org. CNAME IN ( BIND 9.13.2 with "qname-minimization strict" also returns NOERROR ) Hauke.
