Hi!
I've 2 auth-zones with unbound, and one points to another
with CNAMe. This doesn't work, unbound only return the
CNAME itself, not including the A record of the CNAME target.
When the second zone is forward zone, it returns both records.
ie,
a.example.net cname a.example.com
a.example.com a 127.0.0.1
when both zones are auth-zones, query for a.example.net
returns just the cname record. But when example.com is
forward zone, the same query return both records as it
should.
It it a bug or a feature? 
Hmm. I just realized we're running somewhat old version
of unbound, - 1.13 (on current debian stable), while the
current version is 1.15. I'll take look at what has changed
in there.
Thanks,
/mjt
Hi!
I've 2 auth-zones with unbound, and one points to another
with CNAMe. This doesn't work, unbound only return the
CNAME itself, not including the A record of the CNAME target.
When the second zone is forward zone, it returns both records.
ie,
a.example.net cname a.example.com
a.example.com a 127.0.0.1
when both zones are auth-zones, query for a.example.net
returns just the cname record. But when example.com is
forward zone, the same query return both records as it
should.
And ofc. I mixed them up. When the FIRST zone, with the CNAME,
is auth-zone, there's no recurseve CNAME expanison. In this
case, if example.NET is auth-zone, it doesn't work, but if
example.NET is forward zone, it works.
It it a bug or a feature?
Hmm. I just realized we're running somewhat old version
of unbound, - 1.13 (on current debian stable), while the
current version is 1.15. I'll take look at what has changed
in there.
And 1.15 behaves exactly the same way.
/mjt
I think those two are actually same, a bug and a feature. This also happens
if you have two auth zones and one has cname pointing at other.
Work-around is quite complicated. It require you to not run
auth-zones as you do now, you need to use cache for auth zone for this
to work. So this only works if you configure like this:
auth-zone:
name: "example.net"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
primary: 192.168.1.1
zonefile /var/lib/unbound/example.net
stub-zone:
name: "example.net"
stub-addr: 192.168.1.1
And No, I don't like that but that is the way to make it work. Now
problem is that auth-zone updates are not immediate, ttl of record must
first expire before it is updated in cache. Check documentation of
auth-zone and for-downstream and for-upstream options.
And you actually need stub-addr too to make sure there won't be cache
poisoning from net zone with NXDOMAIN.