I’m seeing unbound making extra resolution requests for CNAME records in a chain where the domains differ between the record in the question and the CNAMEs in the answer. For example a query coming into unbound for a host like a.b.c.com that gets a reponse from the server with CNAME a.b.e.com, CNAME, a.d.e.com, A 1.2.3.4. Instead of returning those immediately to the client unbound proceeds to resolve a.b.e.com and a.c.e.com, and then return to the client. From the logs, when verbose logging is turned on we see messages like:
info: sanitize: removing extraneous answer RRset: a.b.e.com. CNAME IN
Our unbound config is fairly simple with a forward-zone for “.” pointing to our upstream DNS servers. We don’t have DNSSEC enabled.
I'm seeing unbound making extra resolution requests for CNAME records in
a chain where the domains differ between the record in the question and
the CNAMEs in the answer. For example a query coming into unbound for a
host like a.b.c.com <http://a.b.c.com> that gets a reponse from the
server with CNAME a.b.e.com <http://a.b.e.com>, CNAME, a.d.e.com
<http://a.d.e.com>, A 1.2.3.4. Instead of returning those immediately
to the client unbound proceeds to resolve a.b.e.com <http://a.b.e.com>
and a.c.e.com <http://a.c.e.com>, and then return to the client. From
the logs, when verbose logging is turned on we see messages like:
info: sanitize: removing extraneous answer RRset: a.b.e.com
<http://a.b.e.com>. CNAME IN
Our unbound config is fairly simple with a forward-zone for "." pointing
to our upstream DNS servers. We don't have DNSSEC enabled.