8 Čen
2026
8 Čen
'26
8:41
On 08/06/2026 08.35, Jiri Masek via knot-resolver-users wrote:
Vladimír Čunát wrote:
With (expected) DNSSEC validation we sometimes do follow individual
CNAME jumps to simplify our validation work. (because our original
validator wasn't able to correctly check a response which combined
proofs from multiple DNS zones in a single reply from upstream)
Sure, when it's configured with
authoritative: false, we have RD=1
and the target server is obliged to follow CNAME chains to the end.
When it doesn't, it looks like the CNAME leads to a NODATA (and perhaps
it forgot to add SOA there), so that's how we interpret it now.
This is not
entirely true from my testing. Or maybe I am missing something. authoritative: false,
dnssec: true causes knot-resolver (6.3.0 to be precise) to follow CNAMEs (does "whole
resolver" job). But uses that aggressive cache.