CNAME, DNSSEC & qname minimisation

Alexandre_Wicquart · August 13, 2018, 3:58pm

Hello,

I have an issue with cname since this patch : https://github.com/NLnetLabs/unbound/commit/2be0263dfa72f314c4cb61599f1ec7e90784da9c

I’m using unbound 1.7.3 with qname-minimisation: yes and the problem only occurs if i ask for a CNAME on a domain having DNSSEC activated. Most of the time i get a SERVFAIL.

— Example —

~ # dig cname pcs-cname.eyof.ovh

; <<>> DiG 9.10.3-P4-Debian <<>> cname pcs-cname.eyof.ovh
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28362
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pcs-cname.eyof.ovh. IN CNAME

;; Query time: 770 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Mon Aug 13 17:50:32 CEST 2018
;; MSG SIZE rcvd: 47

Ralph_Dolmans · August 17, 2018, 12:54pm

Hi Alex,

As mentioned in the bugzilla ticket wrt this issue
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4147): I just
committed a fix that should resolve this bug.

Thanks again for reporting!,

-- Ralph