On Mon, 7 Jun 2021, Benno Overeinder wrote:
Unbound prefers the child side name servers, but if they do not answer, tries
to use the parent-side name servers.
A little more detail, Unbound would on first resolve use the parent side
servers. On the second resolve, Unbound has the child-side name server data,
and lookups ns1.example.com and gets an answer from the IANA example servers.
Then tries to send packets to them, getting failure answers. Then tries the
parent-side names servers as fall back.
And then there is harden-referral-path=yes which does insist on checking
the NS RRset at the child at least for DNSSEC signed zones. It's been
enabled for as long as I can remember in fedora/centos/rhel.
Paul
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
