On Thu, 30 Mar 2023 23:28:37 +0200 Christoph via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:
> Hi Petr, > > thanks for your reply and your questions. > > Petr Menšík via Unbound-users: > > Correct me if I understand it not correctly. whether you query CNAME > > or A record should not make a difference in NXDOMAIN status. But in > > any case the answer is not there. How does it change ACME process > > when there is NXDOMAIN and not just no-answer NOERROR response? There really seem to be issue in unbound when querying cname. I created test record, pointing at another domain, non-exiting name. kdig cnametest.bleve.fi. CNAME ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 46683 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; cnametest.bleve.fi. IN CNAME ;; AUTHORITY SECTION: bleve.fi. 3462 IN SOA foo-ns.foobar.fi. hostmaster.foobar.fi. 1679142493 28800 7200 864000 28800 ;; Received 97 B ;; Time 2023-03-31 11:13:51 EEST ;; From 2001:998:2e::1@53(UDP) in 0.8 ms If I query from authoritative server directly, I get correct answer. It looks like unbound errorously try to follow cname to non-existing record even when cname itself is queried. CNAME should only be followed if something != cname is queried. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/>