Unbound doesn't return "ANY" records after "A"

[Folliant]

Hello. I've faced a situation, when after the command dig google.com A Unbound doesn't return value for dig google.com ANY. Thank you for your time.

Environment:

Docker container:

docker run -it debian:stable /bin/bash

Unbound version:

unbound -V
Version 1.17.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.11 19 Sep 2023
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Unbound config:

Path:

/etc/unbound/unbound.conf

Content:

server:
interface: lo

root-hints: /usr/share/dns/root.hints
auto-trust-anchor-file: /var/lib/unbound/root.key

Issue:

root@ae2d1d33cb3a:/# dig google.com A

; <<>> DiG 9.18.24-1-Debian <<>> google.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58018
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     300 IN  A   142.251.33.174

;; Query time: 348 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Mar 07 00:45:16 UTC 2024
;; MSG SIZE  rcvd: 55

root@ae2d1d33cb3a:/# dig google.com ANY

; <<>> DiG 9.18.24-1-Debian <<>> google.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32253
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  ANY

;; ANSWER SECTION:
google.com.     297 IN  A   142.251.33.174

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Mar 07 00:45:19 UTC 2024
;; MSG SIZE  rcvd: 55

Expected behaviour:

root@ae2d1d33cb3a:/# service unbound restart
Restarting DNS server: unbound.
root@ae2d1d33cb3a:/# dig google.com ANY

; <<>> DiG 9.18.24-1-Debian <<>> google.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33379
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  ANY

;; ANSWER SECTION:
google.com.     300 IN  A   142.251.33.174
google.com.     300 IN  AAAA    2607:f8b0:400b:80c::200e
google.com.     60  IN  SOA ns1.google.com. dns-admin.google.com. 613150094 900 900 1800 60
google.com.     3600    IN  TXT "google-site-verification=TV9-DBe4R80X4v0M4U_bd_J9cpOJM0nikft0jAgjmsQ"
google.com.     3600    IN  TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
google.com.     3600    IN  TXT "MS=E4A68B9AB2BB9670BCE15412F62916164C0B20BB"
google.com.     3600    IN  TXT "docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"
google.com.     3600    IN  TXT "apple-domain-verification=30afIBcvSuDV2PLX"
google.com.     3600    IN  TXT "v=spf1 include:_spf.google.com ~all"
google.com.     3600    IN  TXT "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com.     3600    IN  TXT "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e"
google.com.     3600    IN  TXT "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com.     3600    IN  TXT "webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
google.com.     3600    IN  TXT "onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef"
google.com.     86400   IN  NS  ns2.google.com.
google.com.     86400   IN  NS  ns3.google.com.
google.com.     86400   IN  NS  ns4.google.com.
google.com.     86400   IN  NS  ns1.google.com.
google.com.     300 IN  MX  10 smtp.google.com.
google.com.     21600   IN  HTTPS   1 . alpn="h2,h3"
google.com.     86400   IN  CAA 0 issue "pki.goog"

;; Query time: 204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Mar 07 00:45:28 UTC 2024
;; MSG SIZE  rcvd: 1013

[gthess]

Hello, this is correct behavior. When Unbound has cache contents for a name (but not an ANY query yet), for an ANY query it will try to get "some" records from the cache. If there is nothing cached, it will forward the ANY query upstream and then it depends on how the upstream replies.

In your "non-working" case when you first populate the cache with only the A record, the subsequent ANY query will immediately find that in the cache and return it.

Also in your working example, after 60 seconds (the lowest TTL on answer), that answer will be expired and an ANY query will return just a subset of those records you see there from the cache.