Package: unbound Version: 1.9.0-2 Severity: normal Hi,
when I do a "normal" A query unbound correctly follows a CNAME chain. I.e.: $ dig @unbound a sip.k-p.at ; <<>> DiG 9.10.3-P4-Debian <<>> @unbound a sip.k-p.at ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48071 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sip.k-p.at. IN A ;; ANSWER SECTION: sip.k-p.at. 86328 IN CNAME sipdir.online.lync.com. sipdir.online.lync.com. 30 IN A 52.112.192.139 ;; Query time: 17 msec ;; SERVER: ... ;; WHEN: Fri Aug 30 13:31:04 CEST 2019 ;; MSG SIZE rcvd: 102 On the other hand, if I do a CNAME query on the same name, unbound will ALSO follow the chain, which seems to go against RFC1034. Quoting from https://tools.ietf.org/rfcmarkup?doc=1034#section-3.6.2 If so, the name server includes the CNAME record in the response and restarts the query at the domain name specified in the data field of the CNAME record. The one exception to this rule is that queries which match the CNAME type are not restarted. This usually results in a NOERROR answer: $ dig @unbound cname sip.k-p.at ; <<>> DiG 9.10.3-P4-Debian <<>> @unbound cname sip.k-p.at ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7817 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;sip.k-p.at. IN CNAME ;; AUTHORITY SECTION: online.lync.com. 900 IN SOA admin.nsatc.net. dns.level3.net. 1567104145 10800 2700 3600000 900 ;; Query time: 827 msec ;; SERVER: ... ;; WHEN: Fri Aug 30 14:34:28 CEST 2019 ;; MSG SIZE rcvd: 108 I would expect something like the following (querying a microsoft DNS server, which often, not always, works): $ dig @msdns cname sip.k-p.at ; <<>> DiG 9.10.3-P4-Debian <<>> @msdns cname sip.k-p.at ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44931 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;sip.k-p.at. IN CNAME ;; ANSWER SECTION: sip.k-p.at. 21159 IN CNAME sipdir.online.lync.com. ;; ADDITIONAL SECTION: sipdir.online.lync.com. 30 IN A 52.112.192.75 sipdir.online.lync.com. 29 IN AAAA 2603:1027:0:9::b ;; Query time: 775 msec ;; SERVER: ... ;; WHEN: Fri Aug 30 14:43:00 CEST 2019 ;; MSG SIZE rcvd: 119 Thank you for your consideration, -- Robert Bihlmeyer ASSIST Arrow ECS Internet Security AG <robert.bihlme...@arrow.com> A-1100 Wien, Wienerbergstraße 11 Tel: +43 1 370 94 40 Fax: +43 1 370 94 40-333