Maintained by: NLnet Labs

[Unbound-users] Broken DNS or broken Unbound?

David Conrad
Sat Dec 17 19:27:17 CET 2011


On Dec 17, 2011, at 2:20 AM, Mike Cardwell wrote:
> On 17/12/11 00:04, Anand Buddhdev wrote:
>>> Is matt.io's DNS configuration broken, or is Unbound broken?
>> 
>> The DNS setup of matt.io is broken. They've made the well-known
>> mistake of mixing a CNAME record with other records:

Unfortunately, this scenario (CNAME and other data, particularly at the zone apex) is increasingly common as a result of web hosting scenarios despite the restrictions in the DNS specs.  There was at least on attempt to standardize behavior (http://tools.ietf.org/html/draft-sury-dnsext-cname-at-apex-00), but I gather it withered on the vine.

> Ah, I see. I'll contact him and let him know. Can anyone explain why
> these two results differ for me?
> 
> mike at server:~$ dig +short ns matt.io
> mike at server:~$ dig +short +cd ns matt.io
> eb.blagomatic.com.
> mike at server:~$
> 
> I understand that his zone is broken, but why does that make Unbound
> return a different response depending on whether or not DNSSEC is
> enabled? He might have noticed this problem earlier if Unbound refused
> to return an address even with DNSSEC disabled...

Since CNAME and other data is explicitly disallowed in RFC 1035, any behavior, up to and including packets exploding in an Earth-Shattering Kaboom, should't be surprising.  I'd agree that the inconsistency between DNSSEC/non-DNSSEC is unexpected, but you know what they say about the Spanish Inquisition...

Regards,
-drc