Closed javier7570 closed 1 year ago
Hi,
I can't reproduce here as I get answers on both queries (with DNSSEC; ww of course returns NXDOMAIN).
The only problem that I see is that onmessage.whipplehillsites.com
returns NXDOMAIN and that would prevent resolution if both
qname-minimisation: yes
qname-minimisation-strict: yes
are used (not by default).
Not sure why DNSSEC does not work for you; maybe you are getting different answers in your network?
Could it be that the answer you are getting messes up with the NSEC chain and aggressive-nsec: yes
(default) concludes that there is no www subdomain? That matches with the observation that you see no outgoing traffic for the second query. In that case you could try with aggressive-nsec: no
.
Also increasing verbosity to 4 and trying the same steps could give more insight.
Hi,
If I set aggressive-nsec: no
, everything works well.
Thank you very much for your help.
That's good to hear; I do think though that you get a wrong NSEC answer in your case(network) that covers (wrongly) the existing www subdomain.
Describe the bug I have Unbound with DNSSEC installed. In the configuration I only enabled the option:
auto-trust-anchor-file: /usr/local/etc/unbound/root/anchor/root.key
The rest of the config parameters have their default values. I send a request to resolve the domain ww.gonzaga.org (Note that there is an error in the URL). I receive the following response:
This is correct because the URL was wrong and the domain doesn't exist.
But now if I try to resolve the correct domain (www.gonzaga.org), I receive the same response although in this case the domain exists:
I have checked with tcpdump that Unbound is using the cached value from the first query I've made, although I am trying to resolve a different domain.
When DNSSEC is not configured in this second case I see the correct response:
I have seen that if I remove the module
validator
in the configuration optionmodule-config
, the problem doesn't happen.To reproduce Steps to reproduce the behavior:
Expected behavior The expected behavior is that in the second query for www.gonzaga.org, this domain should be resolved as indicated above when DNSSEC is not enabled, instead of returning NXDOMAIN.
System:
unbound -V
output:Configure line: Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1m 14 Dec 2021 Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues