Maintained by: NLnet Labs

[Unbound-users] Behaviour when authorative zone is more specific than stub-zone

Patrik Lundin
Mon Sep 1 20:15:59 CEST 2014


This question is based on a thread over at the OpenBSD misc@ mailing
list. The most recent post pretty much summarises it:

It seems more than one person has been trying to use a stub-zone
clause in unbound along the following lines:
        name: ""
        stub-addr: some-ip-addr

... The NSD server would then be authorative for a more specific zone like

Is the result described in the thread above expected by the people on
this list? I'll insert my test result here for easy reference:

> To me the following is seen:
> # dig @ -x <-- works
> # dig @ -x <-- fails
> # dig @ -x <-- works
> # dig @ -x <-- works
> Basically the first lookup works, the second ends up at IANA (as if the
> stub-zone configuration did not exist), and any
> following lookups work again.

My current idea (as written in a different message in the thread) is
that it is just undefined behaviour from telling unbound that the server
is authorative for a zone that it actually is not.

I just think it would be interesting to your opinions instead of relying on my
own hunch. The easy soluition is of course to use matching zone names in both

Patrik Lundin