[dns-operations] why does that domain resolve?

Paul Wouters paul at nohats.ca
Wed Jun 9 17:31:29 UTC 2021

On Mon, 7 Jun 2021, Benno Overeinder wrote:

> Unbound prefers the child side name servers, but if they do not answer, tries 
> to use the parent-side name servers.
> A little more detail, Unbound would on first resolve use the parent side 
> servers.  On the second resolve, Unbound has the child-side name server data, 
> and lookups ns1.example.com and gets an answer from the IANA example servers. 
> Then tries to send packets to them, getting failure answers.  Then tries the 
> parent-side names servers as fall back.

And then there is harden-referral-path=yes which does insist on checking
the NS RRset at the child at least for DNSSEC signed zones. It's been
enabled for as long as I can remember in fedora/centos/rhel.


More information about the dns-operations mailing list