Maintained by: NLnet Labs

[Unbound-users] Domains without A registry in nameservers

Paul Wouters
Fri Oct 9 17:50:35 CEST 2009


On Fri, 9 Oct 2009, Isaac González wrote:

> We are currently running unbound in a anycasting scenario and works great.  I've found some problems catching domains without NS A records at nameservers (some servers does not provide A records for nameservers) , I've found a workaround adding a local-data in the configuration but if the provider change the nameserver ip address it will fail. Do you know an alternative workaround or some configuration parameter to solve this problem?
>
> PD. For example: http://thednsreport.com/?domain=sanvic.es
>
> My workaround:
>
> local-zone: "actualcat.com."
> transparent
> local-data: "ns1.actualcat.com A
> 213.192.239.111"
> local-data: "ns2.actualcat.com A 213.192.239.112"

The problem here is that there are glue records for ns[12].actualcat.com pointing
to 213.192.239.112 and 213.192.239.111. However, when you ask those servers for
the A record of ns[12].actualcat.com you get an NXDOMAIN.

Since the NXDOMAIN is in the authority section is "outweighs" the previous
glue records that were in the additional section and the hints are dropped.

So even with harden-referral-path: no, it will end up failing.

The owner of the zone actualcat.com will need to fix their zone.

Paul