Hi Jaime,
Unbound was/is lenient on CNAMEs in NS records by design.
Since it will have to start a resolution attempt at that point, it does
not matter if it is for a CNAME or not.
Also the text in that section of the RFC 2181 could be interpreted as
targeting the auth side (servers, zone editors), at least by me now that
I read it again.
I believe Unbound was/is like that to try and resolve in such a case
that garbage-in was encountered.
Best regards,
-- Yorgos
On 19/01/2026 18:15, Jaime Hablutzel via Unbound-users wrote:
In https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-
compliance.html <https://unbound.docs.nlnetlabs.nl/en/latest/reference/
rfc-compliance.html> you indicate compliance with RFC 2181, which
forbids NS records to point to CNAME records:
10.3. MX and NS records
The domain name used as the value of a NS resource record, or part of
the value of a MX resource record must not be an alias.
But Unbound is currently supporting NS records pointing to CNAME
records, following them in the regular way.
Is this by design or is it a bug?
For reference, BIND9 generates a SERVFAIL in such cases (https://
groups.google.com/g/comp.protocols.dns.bind/c/MGJHdh7TSS4 <https://
groups.google.com/g/comp.protocols.dns.bind/c/MGJHdh7TSS4>).
