Project

General

Profile

Actions
Copy link

Bug #12946

closed

Unbound will not resolve long CNAME chains

Added by Steve Boyle about 2 years ago. Updated about 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

This is relates to Bug #11595. Also documented with the Unbound team, https://github.com/NLnetLabs/unbound/issues/438.

pfSense calls this an upstream issue and will not take action. The upstream project, Unbound, has also decided to not address this issue (or addressed it minimally in a way that does not solve the issue).

This means that pfSense users that use Microsoft Office365 cannot continuously use Unbound for name resolution, because SERVFAIL does not work. End users cannot control what Microsoft or its CDN providers do with names and resolution.

If both pfSense and Unbound refuse any further changes in this area, then pfSense needs a different option for DNS resolution beyond Unbound. pfSense needs a DNS resolver option that works with modern cloud service providers. Unbound is not serving pfSense users well.

Related issues

Is duplicate of Bug #11595: Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limitNot a Bug03/02/2021

Actions
Actions
Copy link
 #1

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Duplicate

Duplicate of #11595

We can't take on the technical debt that would come with carrying custom patches for this forever. The pull request to add the configuration parameter is still open (https://github.com/NLnetLabs/unbound/pull/461), the Unbound developers haven't rejected it upstream. Getting more people who are affected to request that may help, but since it seems to vary by CDN region, it may be difficult to find a lot of people affected the same way, especially with the new higher limit in Unbound. For starters, convince the original PR author to update their patch as it has conflicts and doesn't apply cleanly.

It is not universally broken for everyone in the problem scenario, it's only affecting a subset of users of certain CDN services. It's not correct to say "pfSense users that use Microsoft Office365 cannot continuously use Unbound for name resolution", as there are plenty of people doing so successfully. Perhaps not in the same region as you, however.

There is already an alternate DNS services available on pfSense, the DNS Forwarder. There is also the BIND package which can also be setup in various roles.

Actions
Copy link
 #2

Updated by Jim Pingle about 2 years ago

  • Is duplicate of Bug #11595: Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit added
Actions
Copy link

Also available in: Atom PDF