extra CNAME resolutions in chain

Philip O'Sullivan posullivan at atlassian.com
Mon May 29 05:12:58 UTC 2017


Hi,

I'm seeing unbound making extra resolution requests for CNAME records in a
chain where the domains differ between the record in the question and the
CNAMEs in the answer.  For example a query coming into unbound for a host
like a.b.c.com that gets a reponse from the server with CNAME a.b.e.com,
CNAME, a.d.e.com, A 1.2.3.4.  Instead of returning those immediately to the
client unbound proceeds to resolve a.b.e.com and a.c.e.com, and then return
to the client.  From the logs, when verbose logging is turned on we see
messages like:

  info: sanitize: removing extraneous answer RRset: a.b.e.com. CNAME IN

Our unbound config is fairly simple with a forward-zone for "." pointing to
our upstream DNS servers.  We don't have DNSSEC enabled.

>From a quick look at the source I think this is happening in the scrubber
at
https://github.com/NLnetLabs/unbound/blob/master/iterator/iter_scrub.c#L663

I was wondering if there was anyway to stop these extra lookups?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170529/87cd36a3/attachment.htm>


More information about the Unbound-users mailing list