Maintained by: NLnet Labs

Trusted upstream resolver

Dave Warren
Tue Nov 3 22:04:39 CET 2015

On 2015-11-03 05:57, W.C.A. Wijngaards via Unbound-users wrote:
> No, there is no option to disable the CNAME checks.  The trust in the
> other nameserver is by the way not enough reason to have used such an
> option, it is protection against inserted spoofed packets here that
> has mandated the checks.

I'm having trouble wrapping my head around this one, why are CNAMEs 
different in regards to spoofing?

I understand why the resolver wants to do sanity-checking, but are these 
records more vulnerable to spoofing than in the general case of trusting 
an upstream resolver implicitly?

> Consider enabling prefetch: yes   (and prefetch-key: yes) in
> unbound.conf, for commonly asked queries that will make it prefetch a
> couple seconds before expiry to refresh the cache entry, and that
> should be enough to hide this latency for a larger number of queries.

When I was in a similar situation a few months back, prefetching made a 
*big* difference. However, only for names that are accessed by multiple 
clients. There were cases where one client was frequently accessing the 
same resource (but no others) and these still expired without getting 
prefetched due to the client side caching.

Such is life.

> Another option, but less desirable, is cache-min-ttl where you can
> force entries to stay in the cache for a longer time (i.e. that CNAME
> was from a CDN with very short TTLs).

Within a very reasonable ceiling. Perhaps 300 seconds might be the 
largest cache-min-TTL that one might consider.

Dave Warren