CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2025/09/15 02:43:51
Modified files:
sbin/unwind : parse.y resolver.c unwind.c unwind.h
Log message:
Disable aggressive-nsec when "force" is in use.
When resolution of a domain is forced to a resolver type, the resolver
might have an nsec chain in its cache that proofs the non-existence of
the domain. With aggressive-nsec enabled (the default in unbound), the
query will then not be forwarded and resolution fails, even if "accept
bogus" is configured.
For example, if one squats on the undelegated tld "foobar":
force forwarder { foobar }
and then typo's it as foobaa:
foo. 86400 IN NSEC food. NS DS RRSIG NSEC
Problem reported by, testing & OK tb
Suggestion to turn off aggressive-nsec by otto
