Open nomis opened 2 years ago
In both places where it decides that the host should be recorded as not supporting EDNS, it checks to see if the query requested DNSSEC.
That's inappropriate if unbound is configured to validate all queries by default. In that scenario it shouldn't matter what individual queries want - the forwarder must always support EDNS.
Describe the bug Unbound has unexpectedly decided that the primary forwarder for
.
does not support EDNS (ednsknown 1 edns -1
):The result is that it never sets the
DO
flag and then complains that every response is missing signatures. It is configured with another IP for the same forwarder but it hasn't attempted to prefer that one (ednsknown 1 edns 0
) over the one that it thinks can no longer support EDNS.To reproduce Unknown. There are no log messages indicating why it has decided to do this, it just started reporting validation failures for everything:
Expected behavior
System:
unbound -V
output:Additional information The forwarder is also running Unbound 1.6.7.