edmonds at debian.org (Robert Edmonds) wrote: > these servers will answer authoritatively for the A records www and > secure, but provide root referrals when asked about the AAAA records. I've come across the same bad behaviour from the servers for www.usps.com: they report that they're lame for the AAAA RR rather than providing a NOERROR/NODATA response. (Note: fpdns can't id the DNS server implementation involved.) Here are dnscap traces from Unbound and BIND: Unbound (r1126): http://www.panix.com/~geoff/unbound_trace.txt BIND (9.5.0): http://www.panix.com/~geoff/bind_trace.txt The second trace shows that BIND goes on to query for the A RR even though the servers are lame for the AAAA RR. I suspect the BIND developers had to add this as a work around at some point. (Mark, are you on this list?) I've worked around this with a local-data statement in unbound.conf, but the danger is that others deploying Unbound will quickly revert to BIND the first time they come across this behaviour. www.usps.com is the main web site for the US Postal Service, so this will happen quickly for users in the US. I suspect that Unbound will have to be made resilient to this sort of failure -- perhaps as an option which defaults to "yes". Geoff