Vladimír Čunát wrote:Sure, when it's configured with authoritative: false, we have RD=1 and the target server is obliged to follow CNAME chains to the end. When it doesn't, it looks like the CNAME leads to a NODATA (and perhaps it forgot to add SOA there), so that's how we interpret it now.This is not entirely true from my testing. Or maybe I am missing something. authoritative: false, dnssec: true causes knot-resolver (6.3.0 to be precise) to follow CNAMEs (does "whole resolver" job). But uses that aggressive cache.
With (expected) DNSSEC validation we sometimes do follow individual CNAME jumps to simplify our validation work. (because our original validator wasn't able to correctly check a response which combined proofs from multiple DNS zones in a single reply from upstream)