[knot-resolver-users] Re: Is it possible to disable "aggressive caching" (RFC 8198) ?

Suggested configuration almost works :-) But testing shows every variant has own set of imperfections. authoritative: false dnssec: false Does the trick. But it also "disables resolver function" - does not follow CNAME responses (for authoritative-only answers, but that is done by that policy.STUB which it triggers). Suddenly I would need resolver for a resolver. That kinda defeats the purpose of that first resolver. authoritative: true dnssec: false Seem to trigger policy.FORWARD. BUT sets RD=0. So when query hits "Internet-only resolver" it creates another issue. This way of having just two knobs to adjust forwarding is very unfortunate solution from my view. Having more control would really help. There are many possibilities to make it more flexible: having control over that "aggressive caching" (globally, for insecure domains, or having both options), options to control forwarding behavior (set that RD flag if default is not good enough. or/and say if CNAME responses should be chased). Should I create some issue? I can't fix it, but can test it. But I believe there are many similar I already found. One example for the cache is #429 https://gitlab.nic.cz/knot/knot-resolver/-/work_items/429 I am aware that my setup is "broken" in many ways. The thing is it has been there for ages (so it is hard to change it) and other resolvers can handle it well (BIND, unbound) "by default". Regards, Jiri Masek