Maintained by: NLnet Labs

[Unbound-users] unbound and

Geoffrey Sisson
Wed Jun 25 11:11:40 CEST 2008

edmonds at (Robert Edmonds) wrote:

> these servers will answer authoritatively for the A records www and
> secure, but provide root referrals when asked about the AAAA records.

I've come across the same bad behaviour from the servers for they report that they're lame for the AAAA RR rather than
providing a NOERROR/NODATA response.  (Note: fpdns can't id the DNS server
implementation involved.)  Here are dnscap traces from Unbound and BIND:

Unbound (r1126):

BIND (9.5.0):

The second trace shows that BIND goes on to query for the A RR even
though the servers are lame for the AAAA RR.  I suspect the BIND
developers had to add this as a work around at some point.  (Mark,
are you on this list?)

I've worked around this with a local-data statement in unbound.conf, but
the danger is that others deploying Unbound will quickly revert to BIND
the first time they come across this behaviour. is the
main web site for the US Postal Service, so this will happen quickly for
users in the US.  I suspect that Unbound will have to be made resilient
to this sort of failure -- perhaps as an option which defaults to "yes".