| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 15 Jul 2025 16:21:05 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=239.287618,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=807.888442,issue_conversation_sidebar-fragment;desc="issue_conversation_sidebar fragment";dur=54.118896,nginx;desc="NGINX";dur=1.57385,glb;desc="GLB";dur=98.393794
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: 6a3bf42
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=TkhOr%2FaUMUNwdb5WaMCRouzJ6n%2BkIyNMpcMkbW0LPv4cBZPfFTRaDZnYTQkJBLGeihY0vycyrJzI1id3EzrtOuwjhxSUHF9anONwEzj%2BhEmqfMWBnbizsiRdRdYlrsTQ7ChS778dmxeBdgPDg7CuKaj5bgBTBD8K7BpUDOyZqK%2F%2BHryyfToBunqVe10xFDq2Cfm1EVLkdxOqmVV7QY5v6joFSAp6VLQwMtvimH4xOWbZ7akLv4Wtshm2FUBCySgGiy7%2FQVutcICASk0dy9OKkw%3D%3D--sYB3IZQD%2FpyoqO%2B3--he9809HRxLM4e7SxqOIgDg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2040514156.1752596464; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 16:21:04 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 16:21:04 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: EC32:3229BD:379D0:41DB0:68767FF0
NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record · Issue #870 · NLnetLabs/unbound · GitHub
No one assignedNo labelsNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Closed
Description
Describe the bug
Unbound answers to a CNAME query with NXDOMAIN instead of NOERROR but includes the actual existing record as well.
Actual expected rcode: NOERROR
Also: When asked for a CNAME, unbound asks the authoritative NS for an A record.
Actual expected qtype: CNAME
To reproduce
Steps to reproduce the behavior:
- start unbound so it has an empty cache when the query reaches unbound (config is provided at the end of this bugreport)
- ask unbound for this existing CNAME DNS record
dig _acme-challenge.bender-doh.applied-privacy.net CNAME-> NXDOMAIN - ask unbound again without flushing the cache first, you will get a NOERROR rcode
Others on the mailing list have confirmed seeing the same issue.
While looking into the PCAP files from stub -> unbound and unbound -> authoritative, I also noticed that the CNAME query send to unbound results in unbound asking the authoritative for an A record - which does
not existing. This mismatch in inbound and outbound qtype might be
related to the root cause of the bug.
Expected behavior
unbound should ask the authoritative nameserver for a CNAME record not an A record.
unbound should answer with an NOERROR rcode for existing CNAMEs - like other resolvers do (for example PowerDNS Recursor).
System:
- Unbound version:
pkg info unbound
unbound-1.17.1_2
Name : unbound
Version : 1.17.1_2
Installed on : Sat Feb 18 22:20:01 2023 CET
Origin : dns/unbound
Architecture : FreeBSD:13:amd64
- OS: FreeBSD 13.1
unbound -Voutput:
Version 1.17.1
Configure line: --with-libexpat=/usr/local --with-ssl=/usr --enable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd13.1
Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1o-freebsd 3 May 2022
Linked modules: dns64 dynlib respip validator iterator
DNSCrypt feature available
Additional information
Mailing list discussions:
-
unbound-users: https://lists.nlnetlabs.nl/pipermail/unbound-users/2023-March/008049.html
-
powerdns-users: https://mailman.powerdns.com/pipermail/pdns-users/2023-March/028156.html
-
lego github issue: lego tries to read non-CNAMED record with LEGO_EXPERIMENTAL_CNAME_SUPPORT enabled go-acme/lego#1739
unbound.conf
server:
verbosity: 0
access-control: 109.70.100.0/24 allow
access-control: ::1/128 allow
access-control: 127.0.0.1/24 allow
edns-tcp-keepalive: yes
incoming-num-tcp: 200
# plain UDP
interface: 127.0.0.1@53
interface: ::1@53
interface: 109.70.100.133@53
num-threads: 2
msg-cache-size: 100m
rrset-cache-size: 200m
key-cache-size: 10m
neg-cache-size: 10m
harden-below-nxdomain: yes
minimal-responses: yes
prefetch: yes
prefetch-key: yes
aggressive-nsec: yes
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
qname-minimisation: yes
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
extended-statistics: yes
statistics-cumulative: no
statistics-interval: 0
remote-control:
control-enable: yes
# root on loopback
auth-zone:
name: "."
master: "k.root-servers.net"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "root.zone"
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.