Maintained by: NLnet Labs

[Unbound-users] Unbound rejects queries with unknown data in additional section

Alexander E. Patrakov
Fri Jan 11 10:31:47 CET 2013

2013/1/11 W.C.A. Wijngaards <wouter at>:
> On 01/11/2013 08:37 AM, Alexander E. Patrakov wrote:
>> I found a difference in behaviour between Unbound and BIND. Could
>> you please explain if this is intentional?
> Yes this was intentional.  It is copied from NSD.  It rejects a query
> that has unknown components, because the server does not support this
> sort of query.  FORMERR, because this rcode means there was something
> wrong with the query.

OK, I see.

> Is there some reason you want this?

My company develops parental control software. One of its functions is
to redirect all DNS queries originating from the user's computer to
our DNS servers, adding a record to the additional section for user
tracking purposes.

Now imagine what happens if a user with our software connects e.g. to
a network where an administrator redirects all DNS queries to his own
nameservers running unbound (and there are valid legal reasons why
this redirection is necessary in a number of cases). Now all users of
our software get FORMERRs. Well, the software fails closed, but some
would prefer it to fail open.

And here is why I have chosen the additional section as the place for
the user-tracking record: IETF did the same >10 years ago when the OPT
record was standardized. They trusted the implementors of DNS servers
to ignore stuff in the additional section that they don't understand
(see And
now unbound wastes this trust.

So in fact that's a general case of the "be liberal in what you
accept" rule. Yes, my software also has a bug that it does not retry
without that user-tracking additional record on a FORMERR.

Alexander E. Patrakov