Hi Alex, QNAME minimisation was indeed not taken into consideration in the caps-for-id fallback code. I committed a fix that should make it work.
Thanks, -- Ralph On 31-07-18 08:22, Alex Zorin via Unbound-users wrote: > Hi, > > Came across the curious case of a domain that appears to cause Unbound to > compare responses of different qtypes in process_response during caps-for-id > fallback. > > This can be reproduced with Unbound 1.7.3 with qname-minimization (strict), > and use-caps-for-id. > > $ unbound-host git.shifudao.com -t caa -v -C > /usr/local/etc/unbound/unbound.conf -d -4 > > Adding some logging within this scope: > https://github.com/NLnetLabs/unbound/blob/8aa53f027d125a586796caeee2829ec8a18dd020/iterator/iterator.c#L3547 > > log_dns_msg("response response->rep:", > &iq->response->qinfo, iq->response->rep); > log_dns_msg("response caps_reply:", > &iq->response->qinfo, iq->caps_reply); > > > shows to what appears to be Unbound comparing a CAA response > (iq->response->rep) to an unrelated A response (iq->caps_reply) that appears > to be involved due to qname-minimization. > > Since the two responses differ in their answer/authority, caps-for-id > fallback fails and this results in a SERVFAIL. > > Output from working caps-for-id fallback: https://id-rsa.pub/good > Output from failing caps-for-id fallback: https://id-rsa.pub/bad > > Any guidance? > > Thank you > > Alex >
