8 Čen
2026
8 Čen
'26
8:35
Vladimír Čunát wrote:
Sure, when it's configured with authoritative:
false, we have RD=1
and the target server is obliged to follow CNAME chains to the end.
When it doesn't, it looks like the CNAME leads to a NODATA (and perhaps
it forgot to add SOA there), so that's how we interpret it now.
This is not entirely true from my testing. Or maybe I am missing something. authoritative:
false, dnssec: true causes knot-resolver (6.3.0 to be precise) to follow CNAMEs (does
"whole resolver" job). But uses that aggressive cache.
That is why I see those two knobs as not good enough and (for me) unintuitive. I agree
that "sane defaults" is golden standard. But sometimes it is not enough. What
about giving some options in LUA section for advanced users? For example allowing
something like: policy.add(policy.all(policy.FLAGS({'NOSTUB'})))