[dns-operations] why does that domain resolve?
paul at nohats.ca
Wed Jun 9 17:31:29 UTC 2021
On Mon, 7 Jun 2021, Benno Overeinder wrote:
> Unbound prefers the child side name servers, but if they do not answer, tries
> to use the parent-side name servers.
> A little more detail, Unbound would on first resolve use the parent side
> servers. On the second resolve, Unbound has the child-side name server data,
> and lookups ns1.example.com and gets an answer from the IANA example servers.
> Then tries to send packets to them, getting failure answers. Then tries the
> parent-side names servers as fall back.
And then there is harden-referral-path=yes which does insist on checking
the NS RRset at the child at least for DNSSEC signed zones. It's been
enabled for as long as I can remember in fedora/centos/rhel.
More information about the dns-operations