Maintained by: NLnet Labs

[Unbound-users] Broken DNS or broken Unbound?

Mike Cardwell
Sat Dec 17 11:20:38 CET 2011


On 17/12/11 00:04, Anand Buddhdev wrote:

>> Can anyone explain what is going on with the domain matt.io? I'm
>> running Unbound 1.4.9 and have it set up to do DNSSEC validation.
>> "dig matt.io" SERVFAIL's, however "dig +cd matt.io" works fine.
>> This domain doesn't have DNSSEC on it though... I also noticed that
>> when I attempt to look up the NS records, all it returns is a
>> CNAME. Is that valid?
>> 
>> Is matt.io's DNS configuration broken, or is Unbound broken?
> 
> The DNS setup of matt.io is broken. They've made the well-known
> mistake of mixing a CNAME record with other records:

Ah, I see. I'll contact him and let him know. Can anyone explain why
these two results differ for me?

mike at server:~$ dig +short ns matt.io
mike at server:~$ dig +short +cd ns matt.io
eb.blagomatic.com.
mike at server:~$

I understand that his zone is broken, but why does that make Unbound
return a different response depending on whether or not DNSSEC is
enabled? He might have noticed this problem earlier if Unbound refused
to return an address even with DNSSEC disabled...

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20111217/60dfc426/attachment.pgp>