Bug #12946
closed
Unbound will not resolve long CNAME chains
Added by Steve Boyle about 2 years ago.
Updated about 2 years ago.
Description
This is relates to Bug #11595. Also documented with the Unbound team, https://github.com/NLnetLabs/unbound/issues/438.
pfSense calls this an upstream issue and will not take action. The upstream project, Unbound, has also decided to not address this issue (or addressed it minimally in a way that does not solve the issue).
This means that pfSense users that use Microsoft Office365 cannot continuously use Unbound for name resolution, because SERVFAIL does not work. End users cannot control what Microsoft or its CDN providers do with names and resolution.
If both pfSense and Unbound refuse any further changes in this area, then pfSense needs a different option for DNS resolution beyond Unbound. pfSense needs a DNS resolver option that works with modern cloud service providers. Unbound is not serving pfSense users well.
- Status changed from New to Duplicate
Duplicate of #11595
We can't take on the technical debt that would come with carrying custom patches for this forever. The pull request to add the configuration parameter is still open (https://github.com/NLnetLabs/unbound/pull/461), the Unbound developers haven't rejected it upstream. Getting more people who are affected to request that may help, but since it seems to vary by CDN region, it may be difficult to find a lot of people affected the same way, especially with the new higher limit in Unbound. For starters, convince the original PR author to update their patch as it has conflicts and doesn't apply cleanly.
It is not universally broken for everyone in the problem scenario, it's only affecting a subset of users of certain CDN services. It's not correct to say "pfSense users that use Microsoft Office365 cannot continuously use Unbound for name resolution", as there are plenty of people doing so successfully. Perhaps not in the same region as you, however.
There is already an alternate DNS services available on pfSense, the DNS Forwarder. There is also the BIND package which can also be setup in various roles.
- Is duplicate of Bug #11595: Unbound responds with SERVFAIL when resolving DNS record through more than 8 CNAMEs due to hardcoded limit added
Also available in: Atom
PDF
Updated by