> Also stop hiding this > breakage. Knot and unbound ignore the NSEC records which trigger > this when synthesising. All it does is push the problem down the > road and makes it harder for others to do proper synthesis based > on the records returned.
I did some tests with unbound (version 1.13.1-1 on Debian Bullseye). For types other than 'A', the behavior is quite simple: if both DNSSEC validation (auto-trust-anchor-file) and aggressive-nsec are enabled then unbound will synthesize NODATA based on a cached NSEC record. Both are off by default. For A records the situation is more complex. If qname-minimisation is off, then the same applies to A records. However if qname-minimisation is on (and it is on the default) then unbound will internally generate A record queries. So the A record will be cached before the NSEC record. So in the case of Slack, anybody who enabled both DNSSEC validation and aggressive-nsec would probably not have seen a failure due to the broken NSEC records because qname-minimisation is on by default. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
